Let's encrypt DNS problem: NXDOMAIN looking up MX for server

JohnnyBravo

Verified User
Joined
Aug 24, 2018
Messages
37
When try to create a new SSL-certificate, I get the following error (see below)
The strange thing is that NXDOMAIN looking up MX for server, and server is not the full server name, that should be some server.domain.com
So that's why server can't be found I think but where can I change server into the server name (server.domain.com)??

I'm using:
DA 1.53.4
Let's encrypt 1.1.10
Nginx 1.14.0 (reverse proxy)

Cannot Execute Your Request

Details

Generating 4096 bit RSA key for let's encrypt account...
openssl genrsa 4096 > "/usr/local/directadmin/conf/letsencrypt.key"
Generating RSA private key, 4096 bit long modulus
.............................................................++
.....++
e is 65537 (0x10001)
Account registration error. Response: HTTP/1.1 100 Continue
Expires: Mon, 27 Aug 2018 10:54:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 164
Replay-Nonce: jG6tOA2eqFOQ4N4Yq4RIh-nBJoowrCUBYA44kqXw_tM
Expires: Mon, 27 Aug 2018 10:54:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Aug 2018 10:54:14 GMT
Connection: close

{
"type": "urn:ietf:params:acme:error:invalidEmail",
"detail": "Error creating new account :: DNS problem: NXDOMAIN looking up MX for server",
"status": 400
}.
 
It seems you have no MX record for the domain you're trying to create the cert for :)
 
The following gives no results:
$ dig mx dgs.one +short

So, if your admin domain is set to dgs.one, it's trying to use [email protected] as email address, thus, it needs to find MX record for dgs.one domain.
 
Thank you very much again Smtalk!

The following '$ dig mx dgs.one +short' gives now this result: 10 dgs.one.
So that looks good!
But dgs.one is not the admin domain but the domain I need a certificate for.

I've also made a MX-record for my server: server.solutit.nl

So now it has to work, but the error still occurs...
 
Your DNS change is likely still propagating, and old DNS is likely still cached on Let's Encrypt DNS resolver. If you use DirectAdmin default TTL, it is 4 hours. So then it should work after 4 hours waiting.
 
It could indeed still be propagating.

Next to that, remember that if you want to use mail.dgs.one there should be an A record for it.
At this point an "nslookup mail.dgs.one" does not resolve to any ip address, which it should.
 
Thank you very much Ditto and Richard G,

I know I have to wait for DNS-settings. So I did ;-)
We're 12 hours further now and nothing happens. Let me explain the problem again.
The error is exactly what I've showed you, so server is not a value that I've chosen, it's what ./letsencrypt.sh tells me.
But that's not the full server name, that has to be server.solutit.nl, because when you do '$ dig mx server +short' there is no result, and thats what could be expected. But it has to be '$ dig mx server.solutit.nl +short' so where can I change the server name so letsencrypt is searching at server.domain.com and not at server.
dgs.one is the domain I need an certificate for.
 
May you check the output of:
Code:
[COLOR=#000000][FONT=Menlo]grep mailto /usr/local/directadmin/conf/letsencrypt.key.json[/FONT][/COLOR]
 
Thanks for your reply again!

There is no file /usr/local/directadmin/conf/letsencrypt.key.json

Maybe another location?
 
Weird, are you running latest version of letsencrypt.sh?

Code:
grep VERSION /usr/local/directadmin/scripts/letsencrypt.sh
 
I can't find the .json file but the .key file is present.

/usr/local/directadmin/data/users/solutit/letsencrypt.key
 
Ah, it's not there, because you cannot go through account registration with invalid email address :) Okay, let's check it this way:
Code:
[COLOR=#000000][FONT=Menlo]grep '^email=' /usr/local/directadmin/data/users/admin/user.conf | cut -d= -f2 | cut -d, -f1[/FONT][/COLOR]
 
While you was typing I discovered that the admin e-mailaddress was incorrect..... it was admin@server ....... So I've changed it and with the command you provided me the changed (valid) e-mailaddress showed up!! And NOW it's WORKING!!!

Thanks a lot!
 
We are experiencing the same issue with renewals:
Code:
grep VERSION /usr/local/directadmin/scripts/letsencrypt.sh
#VERSION=1.1.11

Code:
grep '^email=' /usr/local/directadmin/data/users/admin/user.conf | cut -d= -f2 | cut -d, -f1
[email protected]

Error message:
Code:
{
 "type": "urn:ietf:params:acme:error:invalidEmail",
 "detail": "Error creating new account :: DNS problem: NXDOMAIN looking up MX for server.hostname.com",
 "status": 400
}.

We are using the following settings:
Code:
Common Name: www.example.com
E-mail address: [email protected]
Subject Alternative Names: www.example.com, example.com

Note: the "[email protected]" address is the same domain used for the server name "server.hostname.com". Could it be possible that this issue occurs because we're using an e-mail address from another domain which is also part of the server name?

Also, it could be that this is a new issue in the current letsencrypt.sh script, because these are renewals and the initial certificate requests didn't have any problems with the above email settings.

WORKAROUND:
As a workaround we replaced the e-mail address in "/usr/local/directadmin/data/users/admin/user.conf" with [email protected] which has valid MX records.
 
Last edited:
Email address could also be changed in "Message system".
 
Faced the same error today. And as an user which faces this error it's very very unclear what to do. And user can not do anything but contact hosting support. So probably you need to check first that admin's email is valid?
 
I had this issue and it was blowing my mind at the end I let it go.
 
Back
Top