bncert failing on DNS validation failure even thought DNS entry exists

0

I am trying to enable ssh for my wordpress instance on lightsail following https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-enabling-https-on-wordpress.html

However, the process fails with the errors: [mbc-rei.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for mbc-rei.com: DNSSEC: DNSKEY Missing: validation failure <mbc-rei.com. A IN>: No DNSKEY record from 2600:9000:5306:3900::1 for key mbc-rei.com. while building chain of trust; DNS problem: looking up AAAA for mbc-rei.com: DNSSEC: DNSKEY Missing: validation failure <mbc-rei.com. AAAA IN>: No DNSKEY record from 205.251.197.185 for key mbc-rei.com. while building chain of trust [www.mbc-rei.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: looking up A for www.mbc-rei.com: DNSSEC: DNSKEY Missing: validation failure <www.mbc-rei.com. A IN>: key for validation mbc-rei.com. is marked as invalid because of a previous No DNSKEY record; DNS problem: looking up AAAA for www.mbc-rei.com: DNSSEC: DNSKEY Missing: validation failure <www.mbc-rei.com. AAAA IN>: No DNSKEY record from 2600:9000:5305:b900::1 for key mbc-rei.com. while building chain of trust However, if I do a DNS lookup using that DNS server, there is a record. The DNS records were updated 8+ hours ago, so it is not surprising that they have propagated.

I am wondering if the fact that my domain has a - in it is causing problems with the lookups. Is there something I need to do to escape that character? Or is there something else I need to do in order to get the service to generate the certificate I need?

1 Answer
2
Accepted Answer

The issue you're experiencing is not related to the hyphen in your domain name, but rather appears to be a DNSSEC (Domain Name System Security Extensions) validation problem. DNSSEC is a set of extensions to DNS that provide authentication of DNS data, and in your case, it seems that the DNSSEC validation is failing.

The error messages indicate that there are missing DNSKEY records, which are crucial for DNSSEC validation. This suggests that either DNSSEC is not properly configured for your domain, or there might be issues with the DNSSEC setup at your domain registrar or DNS provider.

To resolve this issue, you should:

  1. Check with your domain registrar or DNS provider to ensure that DNSSEC is properly configured for your domain. If it's not needed, you might consider disabling DNSSEC temporarily to see if that resolves the issue.

  2. If DNSSEC is required, work with your DNS provider to correct the DNSSEC configuration, ensuring all necessary records (including DNSKEY records) are present and correct.

  3. Verify that your DNS records (A and AAAA records) for both the apex domain (mbc-rei.com) and the www subdomain (www.mbc-rei.com) are correctly set up and pointing to your Lightsail instance's IP address.

  4. After making any changes to your DNS or DNSSEC configuration, allow some time for the changes to propagate before attempting the bncert process again.

  5. If you continue to face issues, you might want to consider using an alternative method for obtaining an SSL/TLS certificate, such as manually using Certbot, which offers more control over the certificate issuance process.

Remember that the bncert tool is designed to simplify the process of obtaining and installing SSL/TLS certificates, but it may not handle all edge cases, especially when dealing with complex DNS configurations like DNSSEC. If the problem persists after addressing the DNSSEC issues, you may need to consult with AWS support or consider alternative methods for securing your WordPress site with HTTPS on Lightsail.
Sources
Secure your WordPress site with HTTPS on Lightsail - Amazon Lightsail
Troubleshoot DNS validation problems - AWS Certificate Manager
Launch and configure a WordPress instance on Lightsail - Amazon Lightsail

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Thank you for the insight. It does appear that the issue was the DNSSEC record still being intact with my registrar since lightsail doesn't seem to support that.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions