Failed to create SSL certs on AWS lightsail

Keywords: Drupal - AWS - Technical issue - Secure Connections (SSL/HTTPS)

bnsupport ID: 8751156a-7cfe-ad8f-0f60-25501da3be30

bndiagnostic output:

? Apache: Found possible issues
? Resources: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/
https://docs.bitnami.com/installer/faq/linux-faq/administration/increase-memory-linux/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
I’m using bncert-tool to generate SSL certs on AWS Lightsail and am seeing the following errors during that process:

$ sudo /opt/bitnami/bncert-tool
...
2021/09/14 18:21:07 http: TLS handshake error from 129.109.143.2:56913: remote 
error: tls: illegal parameter
...
2021/09/14 18:21:08 http: TLS handshake error from 129.109.143.2:56915: tls: 
client using inappropriate protocol fallback
...
[mydomain.ca] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for painbc.ca - the domain's nameservers 
may be malfunctioning

We updated the DNS A record to point to the correct IP over 72 hours ago and MXToolbox shows that the A record has propagated correctly.

We moved the name servers to AWS and exported and imported the DNS into AWS Route 53 about 3 hours ago.

The bncert tool logs show that the A record IP was correctly found. The log also shows the error with more detail:

2021/09/14 18:21:07 http: TLS handshake error from 129.109.143.2:56913: remote error: tls: illegal parameter
2021/09/14 18:21:07 http: TLS handshake error from 129.109.143.2:56914: remote error: tls: illegal parameter
2021/09/14 18:21:08 http: TLS handshake error from 129.109.143.2:56915: tls: client using inappropriate protocol fallback
2021/09/14 18:21:13 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/30963444190
2021/09/14 18:21:13 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/30963444200
2021/09/14 18:21:13 Could not obtain certificates:
error: one or more domains had a problem:
[painbc.ca] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for painbc.ca - the domain's nameservers 
may be malfunctioning

We have the following CAA DNS record:

painbc.ca	CAA	  Simple	-	 0 issue "letsencrypt.org", 0 issue "sectigo.com"

This thread helped me resolve the issue: https://community.letsencrypt.org/t/acme-error-400-urnparamserror-dns-dns-problem-servfail-looking-up-a-for-freephotoshopskills-com/116410

Here’s what was happening:

  • Originally, the domain registration and DNS records were hosted with GoDaddy
  • Whoever set that up had also setup DNSSEC, which has DS “records” and DNSSEC “records” (not sure what the correct terminology is)
  • We moved the DNS records to AWS and changed to use AWS name servers
  • The DS record however remained at GoDaddy because it’s not part of the export DNS zone records and we didn’t know it existed
  • So we had a DS record on GoDaddy but no DNSSEC records on AWS because we didn’t know this had been setup

The solution we chose was to create the DNSSEC records on AWS and alter the DS record at GoDaddy. In the linked thread they solved the issue by removing the DS record from the domain registrar.

Hi @danielflippance,

I’m really glad to hear that you managed to solve the issue. Thank you for posting the solution here, it’ll be really helpful for others in the future :slight_smile: