LE Can't Add SSL to New Website

Discussion in 'ISPConfig 3 Priority Support' started by yupthatguy, Jul 7, 2021.

Tags:
  1. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Ok .. its been 48 hours since my registrar launch propagation on malfunctioning domains. I checked with them and they said the on-going problem is with the nameservers, countering with:

    [​IMG]

    I went through and checked all of my domains using whatsmydns.net and all of them had so many failures, I was truly surprised to that any of them previously received a LE SSL certificate at all.

    So I went back to ISPConfig seek out the syslog to see if the BIND is functioning properly, but again as the noob... was a little confused because under Monitor there seems to be 2 different syslogs.
    [​IMG] and [​IMG] Perhaps same log in different formats?

    In any running with the second syslog... I have the following info in the log, none of which is marked "bind" content:

    Code:
     
    Jul 11 10:26:08 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOM): query (cache) 'other-domain.cOM/A/IN' denied
    Jul 11 10:26:08 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:08 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:09 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/A/IN' denied
    Jul 11 10:26:09 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOM): query (cache) 'other-domain.cOM/A/IN' denied
    Jul 11 10:26:10 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/A/IN' denied
    Jul 11 10:26:10 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:11 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/A/IN' denied
    Jul 11 10:26:11 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/A/IN' denied
    Jul 11 10:26:12 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COM): query (cache) 'other-domain.COM/A/IN' denied
    Jul 11 10:26:13 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:13 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COm): query (cache) 'other-domain.COm/A/IN' denied
    Jul 11 10:26:14 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:15 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.coM): query (cache) 'other-domain.coM/A/IN' denied
    Jul 11 10:26:16 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:16 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/A/IN' denied
    Jul 11 10:26:17 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COM): query (cache) 'other-domain.COM/A/IN' denied
    Jul 11 10:26:18 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COm): query (cache) 'other-domain.COm/A/IN' denied
    Jul 11 10:26:19 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:26:20 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.Com): query (cache) 'other-domain.Com/A/IN' denied
    Jul 11 10:26:21 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOM): query (cache) 'other-domain.cOM/A/IN' denied
    Jul 11 10:26:22 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/AAAA/IN' denied
    Jul 11 10:26:22 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:23 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOM): query (cache) 'other-domain.cOM/AAAA/IN' denied
    Jul 11 10:26:23 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:23 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COM): query (cache) 'other-domain.COM/AAAA/IN' denied
    Jul 11 10:26:23 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.Com): query (cache) 'other-domain.Com/AAAA/IN' denied
    Jul 11 10:26:24 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/AAAA/IN' denied
    Jul 11 10:26:24 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:24 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/AAAA/IN' denied
    Jul 11 10:26:25 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.Com): query (cache) 'other-domain.Com/AAAA/IN' denied
    Jul 11 10:26:25 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.Com): query (cache) 'other-domain.Com/AAAA/IN' denied
    Jul 11 10:26:26 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:26 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COM): query (cache) 'other-domain.COM/AAAA/IN' denied
    Jul 11 10:26:27 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/AAAA/IN' denied
    Jul 11 10:26:27 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/AAAA/IN' denied
    Jul 11 10:26:28 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:29 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COM): query (cache) 'other-domain.COM/AAAA/IN' denied
    Jul 11 10:26:30 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/AAAA/IN' denied
    Jul 11 10:26:30 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/AAAA/IN' denied
    Jul 11 10:26:31 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:32 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.CoM): query (cache) 'other-domain.CoM/AAAA/IN' denied
    Jul 11 10:26:33 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COM): query (cache) 'other-domain.COM/AAAA/IN' denied
    Jul 11 10:26:34 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.COm): query (cache) 'other-domain.COm/AAAA/IN' denied
    Jul 11 10:26:35 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.com): query (cache) 'other-domain.com/AAAA/IN' denied
    Jul 11 10:26:36 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.cOm): query (cache) 'other-domain.cOm/AAAA/IN' denied
    Jul 11 10:26:37 server1 named[892]: client @0x7f8e6c0a9be0 3.90.229.82#58905 (other-domain.coM): query (cache) 'other-domain.coM/AAAA/IN' denied
    Jul 11 10:26:45 server1 postfix/smtps/smtpd[15630]: warning: unknown[xx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 11 10:26:50 server1 postfix/smtps/smtpd[15630]: lost connection after AUTH from unknown[xx.xxx.xxx.xxx]
    Jul 11 10:26:50 server1 postfix/smtps/smtpd[15630]: disconnect from unknown[xx.xxx.xxx.xxx] ehlo=1 auth=0/1 rset=1 commands=2/3
    Jul 11 10:27:01 server1 CRON[2460]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:27:01 server1 CRON[2461]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:27:40 server1 postfix/smtps/smtpd[15630]: connect from unknown[xx.xxx.xxx.xxx]
    Jul 11 10:28:01 server1 CRON[2833]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:28:01 server1 CRON[2834]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:28:17 server1 postfix/smtps/smtpd[15630]: warning: unknown[xx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 11 10:28:22 server1 postfix/smtps/smtpd[15630]: lost connection after AUTH from unknown[xx.xxx.xxx.xxx]
    Jul 11 10:28:22 server1 postfix/smtps/smtpd[15630]: disconnect from unknown[xx.xxx.xxx.xxx] ehlo=1 auth=0/1 rset=1 commands=2/3
    Jul 11 10:28:29 server1 postfix/smtpd[2986]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    Jul 11 10:28:29 server1 postfix/proxymap[2993]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    Jul 11 10:28:29 server1 postfix/smtpd[2986]: warning: hostname ip-113-70.4vendeta.com does not resolve to address xx.xxx.xxx.xxx2: Name or service not known
    Jul 11 10:28:29 server1 postfix/smtpd[2986]: connect from unknown[xx.xxx.xxx.xxx2]
    Jul 11 10:28:38 server1 postfix/smtpd[2986]: warning: unknown[xx.xxx.xxx.xxx2]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 11 10:28:39 server1 postfix/smtpd[2986]: lost connection after AUTH from unknown[xx.xxx.xxx.xxx2]
    Jul 11 10:28:39 server1 postfix/smtpd[2986]: disconnect from unknown[xx.xxx.xxx.xxx2] ehlo=1 auth=0/1 commands=1/2
    Jul 11 10:28:39 server1 postfix/smtpd[2986]: connect from unknown[xx.xxx.xxx.xxx1]
    Jul 11 10:28:51 server1 postfix/smtpd[2986]: warning: unknown[xx.xxx.xxx.xxx1]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 11 10:28:52 server1 postfix/smtpd[2986]: lost connection after AUTH from unknown[xx.xxx.xxx.xxx1]
    Jul 11 10:28:52 server1 postfix/smtpd[2986]: disconnect from unknown[xx.xxx.xxx.xxx1] ehlo=1 auth=0/1 commands=1/2
    Jul 11 10:29:01 server1 CRON[3200]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:29:01 server1 CRON[3201]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:29:12 server1 postfix/smtps/smtpd[15630]: connect from unknown[xx.xxx.xxx.xxx]
    Jul 11 10:29:27 server1 postfix/anvil[2536]: statistics: max connection rate 3/60s for (smtp:xx.xxx.xxx.xxx3) at Jul 11 10:20:55
    Jul 11 10:29:27 server1 postfix/anvil[2536]: statistics: max connection count 1 for (smtps:xx.xxx.xxx.xxx) at Jul 11 10:20:05
    Jul 11 10:29:27 server1 postfix/anvil[2536]: statistics: max cache size 3 at Jul 11 10:28:39
    Jul 11 10:29:50 server1 postfix/smtps/smtpd[15630]: warning: unknown[xx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Jul 11 10:29:55 server1 postfix/smtps/smtpd[15630]: lost connection after AUTH from unknown[xx.xxx.xxx.xxx]
    Jul 11 10:29:55 server1 postfix/smtps/smtpd[15630]: disconnect from unknown[xx.xxx.xxx.xxx] ehlo=1 auth=0/1 rset=1 commands=2/3
    Jul 11 10:30:01 server1 named[892]: client @0x7f8e6c0a9be0 192.0.101.226#15357 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:30:01 server1 CRON[3477]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:30:01 server1 CRON[3476]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Jul 11 10:30:01 server1 CRON[3478]: (getmail) CMD (/usr/local/bin/run-getmail.sh > /dev/null 2>> /dev/null)
    Jul 11 10:30:01 server1 CRON[3479]: (root) CMD (/usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1)
    Jul 11 10:30:01 server1 named[892]: client @0x7f8e6c0a9be0 208.69.32.186#39198 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:30:01 server1 postfix/smtpd[3588]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    Jul 11 10:30:01 server1 named[892]: client @0x7f8e6c0a9be0 208.69.32.186#35461 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:30:01 server1 postfix/submission/smtpd[3588]: warning: hostname fitness.2012londonbad.com does not resolve to address xx.xxx.xxx.xxx4: Name or service not known
    Jul 11 10:30:01 server1 postfix/submission/smtpd[3588]: connect from unknown[xx.xxx.xxx.xxx4]
    Jul 11 10:30:01 server1 named[892]: client @0x7f8e6c0a9be0 208.69.32.186#46653 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:30:01 server1 postfix/sendmail[3708]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    Jul 11 10:30:01 server1 postfix/postqueue[3708]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    Jul 11 10:30:01 server1 postfix/showq[3713]: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    Jul 11 10:30:01 server1 named[892]: client @0x7f8e6c0a9be0 172.253.8.1#36810 (other-domain.com): query (cache) 'other-domain.com/A/IN' denied
    Jul 11 10:30:02 server1 pure-ftpd: ([email protected]) [INFO] New connection from 127.0.0.1
    Jul 11 10:30:02 server1 pure-ftpd: ([email protected]) [INFO] Logout.
    Jul 11 10:30:02 server1 postfix/smtpd[2986]: connect from localhost[127.0.0.1]
    Jul 11 10:30:02 server1 postfix/smtpd[2986]: lost connection after CONNECT from localhost[127.0.0.1]
    Jul 11 10:30:02 server1 postfix/smtpd[2986]: disconnect from localhost[127.0.0.1] commands=0/0
    Jul 11 10:30:02 server1 dovecot: pop3-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<hhUmyM/G1sR/AAAB>
    Jul 11 10:30:02 server1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=<7D0myM/GpNB/AAAB>
    
    (yes, I noticed the postfix login failue, will address that later)

    NOTE: other-domain.com is a domain is a domain that I own, but have not created a DNS record is ispconfig for....

    whatsmydns.net seems to be effectively pointing towards nameservvers / DNS not being properly propagated.

    What are my options? I am following up with hosting company following this post.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, they contain completely different things as easily to be seen when you open them. The first one is the syslog from ispconfig, the second one is the syslog of the Linux system.

    named = bind. The program is named BIND but the application binary is named 'named'.

    I've just tested it with howtoforge.com and I did not get any propagation failures on the map. But in the end, it does not matter which result whatsmydns.net shows as your problem is that Let's Encrypt can't resolve your domain and unless you solve the DNS propagation issues, you won't get a LE cert for this domain.
     
  3. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Thanks for the clarity, will add that to my notes.

    Likewise, added to my notes

    Agreed, but the clear goal of my is to figure out the "how to resolve" the problem part.

    #dig example.org +trace

    Shows everything working properly (provided by hosting company)... there's nothing for me to actually fix on my end, who should i approach on this propagation issue?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Are the NS records of this domain subdomains of the same domain? If yes and if you have other domains on this server, try changing the NS records, nameserver field, and DNS info at the domain registry to another domain that points to your server and then check over the next days if these changes propagate correctly.

    If it still does not work with your current provider, then consider using the DNS servers of your provider or use free Cloudflare DNS.
     
  5. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Thanks for the feedback, still mentally "deciphering" the feedback... do you think something like

    What?

    The NS records for example.org are ns1.example-host-domain.com and ns2.example-host-domain.com (<- I use these as the namesevers for all domains that I host)

    Question: if I change the nameserver information of example-host-domain.com to be the nameserver info from my hosting company so that it gets better propagation.... would I still be able to use ns1.example-host-domain.com and ns2.example-host-domain.com for the other domains?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, yo sou don't use a subdomain of the same domain (example.org).

    I talked about changing the ns records of example.org and not changing example-host-domain.com. Do NOT touch any other domains except of the affected example.org domain!
     
  7. yupthatguy

    yupthatguy Member HowtoForge Supporter

    Understood.. however my hosting company seems to think that pointing example-host-name.com at ns1.example-host-domain.com and ns2.example-host-domain.com is problematic.

    hence, I was wondering if pointing example-host-naem.com at ns1.hosting-provider-domain.com and ns2.hosting-prover-domain.com would make example-host-name.com resolve correctly, and in turn, make ns1.example-host-name.com and ns2.example-host-name.com resolve / propagate all other domains correctly.

    I haven't changed anything yet waiting on hosting provider feedback.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That's no issue as long as your hosting provider has set correct glue records on the root server for ns1.example-host-name.com and ns2.example-host-name.com. When you run your own DNS servers which use subdomains of one of your own domain names as DNS server name, then this domain must have glue records set up and that's nothing that can be avoided in such a setup, you can change the domain name of yours, but then the glue records must be set for this new domain, so you don't win anything by exchanging the domain that you use for your DNS servers hostnames.

    Google for DNS glue records if you like to know what this is about in detail, there are plenty of articles that explain in depth what they are and why they are needed to resolve this hen <> egg problem.
     
  9. yupthatguy

    yupthatguy Member HowtoForge Supporter

    You were right it was no issue. The Level 1 tech was just clueless. Just a PBS announcement. If you do "Tech China"... use HuaWei, not Alibaba... HuaWei's advertised services "work". At this moment, Alibaba's staff are all scratching their heads trying to figure out why their internal DNS system is -obviously- broken. :(
     

Share This Page