Removing/correcting existing SOA record to allow Let's Encrypt to generate SSL CA

Support
, ,
#1

I’ve been working for many hours today to debug a failed SSL/TLS certificate generation for my domain mqm2022.org. The domain provider is Google Domains, and I originally had a Wix placeholder site in place. However, I’ve created a Netlify site, and I’ve been working to switch the DNS over:

I can confirm that the DNS entries have propagated using https://dnschecker.org/#A/mqm2022.org.

My Netlify domain dashboard indicates that I’m using Netlify DNS, as expected.

I find no issues at https://letsdebug.net/mqm2022.org/855333.

Also, my domain registrar is not using DNSSEC: https://dnsviz.net/d/www.mqm2022.org/dnssec/

Running curl -s -v http://mqm2022.org | grep server gives: < server: Netlify

However, host -t soa mqm2022.org yields: mqm2022.org has SOA record dns1.p05.nsone.net. domains+netlify.netlify.com. 1641578520 43200 7200 1209600 3600

According to this (very helpful) blog, this will prevent SSL CA generation, but I don’t know what to do about it (or why it’s occurring).

Additional (relevant?) information:

Running dig @ns-cloud-e4.googledomains.com www.mqm2022.org -t ns gives:

; <<>> DiG 9.10.6 <<>> @ns-cloud-e4.googledomains.com www.mqm2022.org -t ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41290
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.mqm2022.org.		IN	NS

;; AUTHORITY SECTION:
mqm2022.org.		300	IN	SOA	ns-cloud-e1.googledomains.com. cloud-dns-hostmaster.google.com. 5 21600 3600 259200 300

;; Query time: 35 msec
;; SERVER: 216.239.38.110#53(216.239.38.110)
;; WHEN: Fri Jan 07 16:48:16 EST 2022
;; MSG SIZE  rcvd: 137

Running dig mqm2022.org gives:

; <<>> DiG 9.10.6 <<>> www.mqm2022.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60415
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mqm2022.org.		IN	A

;; ANSWER SECTION:
www.mqm2022.org.	20	IN	A	157.245.242.152
www.mqm2022.org.	20	IN	A	161.35.60.200

;; AUTHORITY SECTION:
mqm2022.org.		3497	IN	NS	dns1.p05.nsone.net.
mqm2022.org.		3497	IN	NS	dns2.p05.nsone.net.
mqm2022.org.		3497	IN	NS	dns4.p05.nsone.net.
mqm2022.org.		3497	IN	NS	dns3.p05.nsone.net.

;; ADDITIONAL SECTION:
dns1.p05.nsone.net.	36578	IN	A	198.51.44.5
dns2.p05.nsone.net.	36527	IN	A	198.51.45.5
dns3.p05.nsone.net.	36786	IN	A	198.51.44.69
dns4.p05.nsone.net.	36839	IN	A	198.51.45.69
dns1.p05.nsone.net.	49361	IN	AAAA	2620:4d:4000:6259:7:5:0:1
dns2.p05.nsone.net.	12786	IN	AAAA	2a00:edc0:6259:7:5::2
dns3.p05.nsone.net.	29175	IN	AAAA	2620:4d:4000:6259:7:5:0:3
dns4.p05.nsone.net.	80684	IN	AAAA	2a00:edc0:6259:7:5::4

;; Query time: 39 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jan 07 16:51:48 EST 2022
;; MSG SIZE  rcvd: 341
#2

Hi @crawdad

This information is correct if you are transitioning to Netlify DNS. This is the same information seen for my domain coelmay.net

coelmay.net has
   SOA record dns1.p02.nsone.net.
   domains+netlify.netlify.com.
   1640332834 43200 7200 1209600 3600

Have you added the domain as a custom domain to your Netlify site? What entries do you see under https://app.netlify.com/teams/YOUR_TEAM/dns/YOUR_DOMAMIN?

#3

Here’s what I have in my custom domains:

image
image1139×2038 91.3 KB

#4

Have you tried the Renew certificate button on the Custom domains page?

If that doesn’t work, there is possibly an issue is the background that neither of us can see. Possibly similar to this one.

#5

I’m not finding a Renew certificate button on there, so I’m not sure how to try that suggestion.

Is it a problem that I have www.mqm202.com as my primary domain and mqm2022.com as secondary? I don’t see why it would matter, but…

#6

Note that I’ve not had a successful certificate creation, so I don’t have a Renew certificate button yet.

#7

No, should have no impact on this.

Under the SSL/TLS certificate of the Custom Domains page, what do you see? e.g.

ssl-coelmay.net.au
ssl-coelmay.net.au1800×1094 95.4 KB

#8

image
image1170×1554 171 KB

And if I click the Verify DNS configuration button, I see

image
image1170×2190 120 KB

#9

Ok, you may simply have to wait longer (24 hours, or even 48 hours) for everything to sort itself out.

You might like to look through the follow thread which lists numerous other resources for DNS debugging

#10

Thanks for your suggestions!