CAA DNS Record in Diagnosis and letsencrypt not working

My YunoHost server

Hardware: Raspberry Pi 4
YunoHost version: 4.2.8.3
I have access to my server : Through SSH and through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hey guys,

I configured my DNS according to this
https://yunohost.org/en/dns_config?q=%2Fdns_config
and with the help of this command:

yunohost domain dns-conf mydomain.com

But I still get 1 warning in my DNS records. I double checked them and they look good to me in Cloudflare.
There is also a warning in Internet conectivity, I tried this solution, but it din’t help me:

I deactivated ipv6 for now since there seems to be a problem with my router sharing ipv6 ports, after I did that yunohost Diagnosis said that my Port exposure is good. (Once everything else is working I’m gonna try fixing that problem)

I can acces Yuno Host through my domain when I’m not connected to my local network, as soon as I connect to the same Network where Yuno Host is, it says this Site can’t be reached. Also there is no certificate, I guess that also has something to do with the DNS error.

Here is the DNS record in Cloudflare:

And those are the Logs:

================================
Base system (basesystem)

[INFO] Server hardware architecture is bare-metal armhf

  • Server model is Raspberry Pi 4 Model B Rev 1.4

[INFO] Server is running Linux kernel 5.10.63-v7l+

[INFO] Server is running Debian 10.11

[INFO] Server is running YunoHost 4.2.8.3 (stable)

  • yunohost version: 4.2.8.3 (stable)
  • yunohost-admin version: 4.2.5 (stable)
  • moulinette version: 4.2.4 (stable)
  • ssowat version: 4.2.4 (stable)

=================================
Internet connectivity (ip)

[WARNING] DNS resolution seems to be working, but it looks like you’re using a custom /etc/resolv.conf.

  • The file /etc/resolv.conf should be a symlink to /etc/resolvconf/run/resolv.conf itself pointing to 127.0.0.1 (dnsmasq). If you want to manually configure DNS resolvers, please edit /etc/resolv.dnsmasq.conf.

[SUCCESS] The server is connected to the Internet through IPv4!

  • Global IP: xx.xx.xx.xx
  • Local IP: 192.168.178.47

=================================
DNS records (dnsrecords)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category basic)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)

[WARNING] Some DNS records are missing or incorrect for domain maindomain.tld (category extra)

[SUCCESS] Your domains are registered and not going to expire anytime soon.

  • maindomain.tld expires in 727 days.

=================================
Ports exposure (ports)

[SUCCESS] Port 22 is reachable from outside.

  • Exposing this port is needed for admin features (service ssh)

[SUCCESS] Port 25 is reachable from outside.

  • Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 80 is reachable from outside.

  • Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 443 is reachable from outside.

  • Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 587 is reachable from outside.

  • Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 993 is reachable from outside.

  • Exposing this port is needed for email features (service dovecot)

[SUCCESS] Port 5222 is reachable from outside.

  • Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5269 is reachable from outside.

  • Exposing this port is needed for xmpp features (service metronome)

=================================
Web (web)

[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.

=================================
Email (mail)

[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).

[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!

[SUCCESS] 0 pending emails in the mail queues

=================================
Services status check (services)

[SUCCESS] Service avahi-daemon is running!

[SUCCESS] Service dnsmasq is running!

[SUCCESS] Service dovecot is running!

[SUCCESS] Service fail2ban is running!

[SUCCESS] Service metronome is running!

[SUCCESS] Service mysql is running!

[SUCCESS] Service nginx is running!

[SUCCESS] Service php7.3-fpm is running!

[SUCCESS] Service postfix is running!

[SUCCESS] Service redis-server is running!

[SUCCESS] Service rspamd is running!

[SUCCESS] Service slapd is running!

[SUCCESS] Service ssh is running!

[SUCCESS] Service yunohost-api is running!

[SUCCESS] Service yunohost-firewall is running!

=================================
System resources (systemresources)

[SUCCESS] The system still has 7.1 GiB (95%) RAM available out of 7.5 GiB.

[INFO] The system has only 100 MiB swap. You should consider having at least 512 MiB to avoid situations where the system runs out of memory.

  • Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device`.

[SUCCESS] Storage / (on device /dev/root) still has 1.7 TiB (99.8%) space left (out of 1.7 TiB)!

[SUCCESS] Storage /boot (on device /dev/sda1) still has 204 MiB (81%) space left (out of 252 MiB)!

=================================
System configurations (regenconf)

[SUCCESS] All configurations files are in line with the recommended configuration!

Hi, and welcome to the forums!

I think your router provides ‘DNS rebind protection’, perhaps in combination with ‘hairpinning’.

Hairpinning is accessing servers in the LAN directly, instead of via the internet.
DNS rebind protection: usually a domain should resolve to a public IP, but in your (and my) case, it eventually resolves to a private IP (192.168.1.14, for example). Normally ‘google.com’ or another domain should not point to and try to get resources from 192.168.1.x.

Depending on make and model, there should be a way to turn it of for your own domain or in general.

Which router do you have?

1 Like

What means “letsencrypt not working” ?

Have you some logs when you try to generate letsencrypt certificate ?

Hi,

I have a FRITZ!Box 7590, and it was exactly that, I had to add an Host name exceptions in the router settings. Thank you, that works now :ok_hand:.

Great, nice to read it is solved. Have a lot of fun with your Yunohost!

1 Like

Ah sorry for not explaining, I meant that when I acces Yuno Host, at the top it says “Not Secure”, the https is crossed out and it says that my certificate is invalide, when I go into the SSL settings of my domain in Yuno Host, it says following:


And since it says something about letsencrypt in the log under DNS records I thought it might be that, but I couldnt figure it out.

Thanks a lot :grinning_face_with_smiling_eyes:

I found the solution, I just had to revert to a self-signed certificate, and then make a new certificate with letsencrypt.

1 Like