Let's Encrypt "Cannot find domain in the certificate"?

J

jlpeifer

Verified User
Joined
Jun 6, 2006
Messages
103
What-the-what is going on here? I'm setting up a new DA server and am starting to relocate accounts between the old server and the new. I'm doing this by performing an admin-level backup of the entire account, copying the resulting tar.gz file to the new server, and then restoring using the DA console.

I moved an account successfully to the new server and then decided that I wanted to test the creation of Let's Encrypt SSL certs against the sole domain associated with the account (yaddayadda.com) as well as some of its associated sub-domains. Here's the message I saw after attempting this...

Certificate and Key Saved.​

Details

LetsEncrypt request successful for:
mail.yaddayadda.com
www.yaddayadda.com
Cannot find domain in the certificate.
However, subdomains have been found instead. Proceeding with them.​
Click to expand...

After I initlally transferred the account from old server to new, SSL was working fine on the primary domain; however, now that I attempted to run Let's Encrypt manually I am encountering the problem above. Browsers that attempt to visit the "https" version of the website associated with the domain are now greeted with, "Warning: Potential Security Risk Ahead" messages.

I found this thread addressing a similar problem. The OP answered his own question, but only partially. Does this have something to do with an AAA record?

If so, how do I correct?
If not, how do I correct?
 
This is solved. All of it had to do with funky DNS propagation issues (and my apparent lack of patience). Even though the entire world had updated the root IP information for this domain, somehow Google's 8.8.8.8 DNS server hadn't. Let's Encrypt was using that 8.8.8.8 server to resolve the public IP of the domain. The IP being returned didn't match the IP of my server, so the encryption failed. Oddly, the same 8.8.8.8 server was able to correctly resolve the subdomain IPs (which happened to be the same as the root). Soooo... eventually everything settled down and I was able to successfully request a Let's Encrypt SSL cert for the primary domain. Clear as mud? Hope this helps someone out there eventually.
 
Ever hear of DNS caching? That's why they say it takes 24 to 48 hours for DNS changes to take effect.
 
A few links for checking DNS propagation, if you not want to wait 24-48 hours:
www.whatsmydns.net

DNS Propagation Checker - Global DNS Checker Tool

Instant DNS Propagation Check. Global DNS Propagation Checker - Check DNS records around the world.
www.whatsmydns.net www.whatsmydns.net
dnschecker.org

DNS Checker - DNS Check Propagation Tool

Check DNS Propagation worldwide. DNS Checker provides name server propagation check instantly. Changed nameservers so do a DNS lookup and check if DNS and nameservers have propagated.
dnschecker.org dnschecker.org

DNS Propagation, Global DNS Checker - Whatsmydns?

Check your DNS Propagation around the World with our Free DNS Checker. Whatsmydns? Perfom a DNS lookup now for A, MX, NS, and other DNS records.
dnspropagation.net
 
floyd said:
Ever hear of DNS caching? That's why they say it takes 24 to 48 hours for DNS changes to take effect.
Click to expand...
Thanks for the (snarky) reply floyd. Yes, I've heard of DNS Caching. That's why I checked the DNS entries against servers worldwide. The fact that the record had propagated everywhere EXCEPT 8.8.8.8 (the primary DNS server against which Let's Encrypt apparently checks) was unexpected. DirectAdmin doesn't provide enough detail in its default, Let's Encrypt error message for proper debugging. It was only after I noticed a lingering message in my server's messaging system that I was able to understand what was going on.
 
jlpeifer said:
Thanks for the (snarky) reply floyd.
Click to expand...

You're welcome. Come for information and stay for the snark. That is what make a forum enjoyable.

I know you already know this but for any other others who happen upon this thread, I wouldn't expect anything to work properly until 2 days had past after a DNS change. It can take longer because some service providers don't follow the ttl "rules." Also you will find it beneficial to change the ttl several days prior to making a DNS change.
 
You must log in or register to reply here.
Back
Top