DNS issues and unable to get a certificate

What type of hardware are you using: Virtual machine
What YunoHost version are you running: 12.0.10
How are you able to access your server: The webadmin
SSH

Describe your issue

So, I’ve been working at this for hours. I’ve searched the internet and this forum to no avail. I have Yunohost installed in a VM in Proxmox, with proper network settings set in Proxmox. In Cloudflare, DNS settings are set up as demonstrated by Yunohost setup, and I have automatic DNS set up for my domain. I have my tld set up as the default with subdomains for the services I want to host. Here comes the problem - I can’t get ANY certs from letsencrypt for any of my domains. When I run diagnosis, I get a problem with my CAA setup, it says says that it’s not set up properly, yet in Cloudflare, CAA is properly set up with @ for the name, and “letsencrypt.org” as the CA domain name. And when I ignore diagnosis checks for my tld and try to install a letsencrypt certificate, I get an error at the verifying step. I haven’t found any other posts with this issue so please let me know what I’m doing wrong and how to fix it! Thanks!

Share relevant logs or error messages

CAA Warning
[WARNING] Some DNS records are missing or incorrect for domain maindomain.tld (category extra)

• Please check the documentation at DNS zone configuration | Yunohost Documentation if you need help configuring DNS records.
• The following DNS record does not seem to follow the recommended configuration:
  Type: CAA
  Name: @
  Current value: [‘0 issue “ssl.com”’, ‘0 issuewild “comodoca.com”’, ‘0 issuewild “digicert.com; cansignhttpexchanges=yes”’, ‘0 issuewild “letsencrypt.org”’, ‘0 issuewild “pki.goog; cansignhttpexchanges=yes”’, ‘0 issuewild “ssl.com”’, ‘0 issue “comodoca.com”’, ‘0 issue “digicert.com; cansignhttpexchanges=yes”’, ‘0 issue “letsencrypt.org”’, ‘0 issue “pki.goog; cansignhttpexchanges=yes”’]
  Expected value: 0 issue “letsencrypt.org”

Letsencrypt cert install attempt
https://paste.yunohost.org/raw/oloqewowex

Can you share the diagnosis? Using the green button and paste the link here

Since making this post version 12.0.11 has released and I just got home and updated my Yunohost instance. Ran diagnostics again and I’m still getting the same issue. Here is the yunopaste of my diagnostics result.

https://paste.yunohost.org/raw/qaduyikixi

Hi k0mprssd,

Welcome to the forums!

Having Yunohost in a VM on Proxmox works perfectly, as does having Yunohost in a container. The latter takes fewer resources, so could be an option if you run on your own hardware.

You are seeing the results for Cloudflare in your diagnostics.

Which Cloudflare services do you use?

Thanks for the welcome! And the help, of course.
I bought my domain from Namecheap and I use Cloudflare for name servers and management. I have my DNS records set up as what Yunohost gave me with a couple extra records from other projects through Cloudflare.

Could it be that you also use their “Universal SSL”? Being a big not-fan of Cloudflare, I have no idea what it is, but being such, I expected Cloudflare to mess with something in between the internet and your server.

A thread over at stackoverflow mentions symptoms that match your situation.

Are you able to browse to the domain after accepting the selfsigned certificate?
I see a lot of errors with ports : 80, 443, etc…

Hey that worked! Which is weird because i disabled it before and it didn’t solve anything… I guess turning it off and on again managed to do something? Thanks a ton for the suggestion!

I managed to properly forward all necessary ports in my OPNsense firewall and get rid of all errors. Turning “Universal SSL” on and off again seemed to fixed the issue and I’m now getting certs for my domains. Thanks for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.