All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Question about troubleshooting Let's Encrypt: Hunting for AAAA records
Turbo_Pascal
Member
I have a domain name whose Let's Encrypt certificate unexpectedly refused to renew itself. The hosting is Serv00. The Serv00 interface tells me, after deleting the certificate and trying to create a new certificate, that my domain name has an AAAA record. To my knowledge, there isn't and never has been a AAAA record attached to this domain name. I have many domain names hosted at Serv00 with no problems.
I am using a Linux terminal to query for any AAAA records. To do so, I am using a "curl" command with https://dns.google/ (which LowEndTalk will not allow me to display in its entirety here because it invokes Cloudflare security on this forum).
Is anyone familiar with this method of querying for AAAA records? I am getting a result that includes data, but does not appear the way I would expect an IPv6 address to look.
Comments
Are you seeing errors like this?
Detail: DNS problem: looking up A for www.example.com: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for www.example.com: DNSSEC: DNSKEY MissingSomehow a newly registered domain had DNSSEC enabled. You have to delete the DS record at the registrar to disable DNSSEC.
You can see if a DS is set at the .com (or whatever TLD it is) https://dnssec-debugger.verisignlabs.com/
Found 1 DS records for example.com in the com zoneI wonder if I should consider abandoning Serv00's in-house implementation of Let's Encrypt. Maybe the trouble isn't worth it. Specifically, I'm wondering if I should consider switching to a Cloudflare certificate, which would have to be installed at Serv00. I already moved the DNS hosting to Cloudflare. However, I would be reluctant to install a Cloudflare certificate if it requires manual renewals or other periodic work.
I don't think such an error appeared, but I appreciate your pointing out the possibility of DNSSEC or DS problems. Obviously I'm open to any ideas. That VeriSign link is indicating there are no DS records or DNSKEY records at my domain name. (It is a dotcom.)
are you insist using curl? try using -6 flag to ipinfo.io. otherwise just use whatsmydns.net
if you can't post terminal output, just screenshot it and then post the image.
Are Cloudflare certificates similar in all respects to Let's Encrypt, i.e. free and self-renewed?
Are there any comparable advantages/disadvantages between Cloudflare and Let's Encrypt?
From briefly reading about it on the web, I got the idea that curl is the best method. Maybe that isn't right.
Let's Encrypt via Serv00 has the disadvantage of not allowing certificate renewals while using Cloudflare's DNS proxy. I thought I was making a compromise for convenience, but now it doesn't seem convenient. I have never used a Cloudflare certificate, so I don't know how much work and maintenance is involved. If I go install a Cloudflare certificate, the difficult task will be to encrypt traffic between Cloudflare and the origin. The encryption between Cloudflare and end users should be much easier to set up.
To encrypt traffic from origin to flare, you can download origin cert: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
Does Cloudflare SSL work any differently than a Let's Encrypt SSL?
It's the same, just another way if OP has issues with Letsencrypt behind CF
Does CF SSL work more smoothly behind a CF CDN than LE SSL would behind a CF CDN?
To follow the conversation, it definitely occurred to me that if I try it, Cloudflare's SSL could give me the same error. But maybe Cloudflare is easier to troubleshoot (with more documentation, etc) than Serv00.
I believe so. Based on my experience, Let's Encrypt refuses to renew itself when Cloudflare's DNS proxy is enabled. It basically makes sense that the certificate can't verify itself with a proxy, but still it is a bit frustrating.
certbot has a plugin to talk to cloudflare api
https://certbot-dns-cloudflare.readthedocs.io/en/stable/
No, there are no advantages to use cf cert instead of le
CloudFlare actually issues LetsEncrypt SSL certificates.
But what about the advantage of being able to use Cloudflare's DNS proxy and get automatic renewals? Or are you saying it will not automatically renew? If it does automatically renew, that sounds to me like a significant advantage.
Cloudflare uses multiple CA to issue certificates. https://developers.cloudflare.com/ssl/reference/certificate-authorities/
They manage the renewal process automatically.
Just now, I tried to install a new Cloudflare certificate and key in Serv00. No errors or unexpected behavior happened. Then I enabled the DNS proxy and selected full (strict) encryption. Right away, the web site began loading in Chrome with SSL. I even tried removing the "s" from "https" in the address bar and it switched it to "https", implying that Cloudflare is forcing encryption.
I began this thread believing I would have to find an AAAA record that doesn't exist. Instead I ignored it and found a solution that looks better.