Join Log in
Score:0
Malako avatar Server

Certbot error - DNSSEC: DNSKEY Missing

ru flag
Malako

I moved my domain to Route53 and am now getting problems with Certbot renewal. Certbot has been running great for 4 years, but is now failing to renew.

When running sudo certbot renew --apache i get this error:

   Type:   None
   Detail: DNS problem: looking up A for somedomain.com: DNSSEC:
   DNSKEY Missing; DNS problem: looking up AAAA for
   somedomain.com: DNSSEC: DNSKEY Missing

DNSSEC is not, and hasn't ever been enabled for that domain in Route53, so not sure why Certbot fails.

I am at a loss here and would really like to use Route53 instead of the old domain manager.

EDIT: It looks like DNSSEC was activated by default for .se domains in the old domain manager (Loopia).

This is what i see under Registered domains in Route 53:

Registered domains

Using Ubuntu/Apache/python3-certbot-apache

UPDATE: I removed the record in Route53 Registered domains, but now i'm getting this error instead:

   Detail: DNS problem: looking up A for somedomain.com: DNSSEC:
   DNSKEY Missing; DNS problem: looking up AAAA for
   somedomain.com: DNSSEC: Bogus
224
1 + 2
Jaromanda X avatar
ru flag
Jaromanda X
`DNSSEC is not, and hasn't ever been enabled for that domain in Route53` - did you used to have DNSSEC set up?
2
Reply
Malako avatar
ru flag
Malako
In the old domain manager it looks like DNSSEC was enabled by default. I just did a domain transfer to Route53, copied all the DNS records and changed name servers and thought that was it. Any help is really appreciated.
0
Reply
Score:1
avatar Server
cn flag
Håkan Lindqvist

It looks like DNSSEC was activated by default for .se domains in the old domain manager (Loopia).

It sounds like you need to either remove the DS record if you don't want to have the zone signed, or otherwise sign the zone and update the DS record to reflect the current DNSKEY.

The DS record is part of the delegation (parent zone) and is managed through your registrar.

+ 5
Malako avatar
ru flag
Malako
I added a screenshot to the question just to make sure I am on the right track. I should delete this record right? I don't want to enable DNSSEC for now.
0
Reply
cn flag
Håkan Lindqvist
@Malako Looks reasonable to me, if this is in the registrar section of Route53.
0
Reply
Malako avatar
ru flag
Malako
I deleted the record but nom i'm getting another error - question updated. Thanks a lot for your taking your time Håkan, I really appreciate it!
0
Reply
cn flag
Håkan Lindqvist
@Malako That looks like the same error, no? It could just be a caching problem, but hard to tell from my end. Maybe see what dnsviz.net says?
0
Reply
Malako avatar
ru flag
Malako
Hi Håkan. For A record it's the same, for AAAA it's different. I will try again this evening.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.