Troubleshooting Let’s Encrypt issues

When requesting or renewing your Let’s Encrypt Certificate on MODX Cloud, you may come across errors that prevent you from getting a certificate or having it renewed. This article outlines a few things you can check to see if the trouble is due to your DNS and Web Rules have been set up or if it’s something MODX Cloud support needs to review.

1. Do all domains point to the Cloud in question and are they assigned to the cloud?
2. Run the following to check for CAA and AAAA records:
2.1 In a Mac/Linux terminal create a text file with the domains to cover, one domain per line
2.2 Run the following command inside the same directory as the file you created:
for i in `cat filename.txt`; do dig $i type257; done
2.3 Run the following command inside the same directory as the file you created:
for i in `cat filename.txt`; do dig $i AAAA; done
3. If the certificate is new or has expired, make sure there are no web rules forcing https or blocking access to the .well_known directory

Example Type257 output:

dig domain.com type257
; <<>> DiG 9.10.3-P4-Ubuntu <<>> domain.com type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- oppre: QUERY, status: NOERROR, id: 52131
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.com. IN CAA ;; ANSWER SECTION:
domain.com. 10800 IN CAA 0 issue "randomca.com" ;; Query time: 81 msec
;; SERVER: 67.207.67.2#53(67.207.67.2)
;; WHEN: Thu Mar 22 13:39:12 UTC 2018
;; MSG SIZE rcvd: 78

Here you're looking for an error:

;; ->>HEADER<<- oppre: QUERY, status: NOERROR, id: 52131

and for the output here:

;; ANSWER SECTION:
domain.com. 10800 IN CAA 0 issue "randomca.com"

If you see NOERROR and don't see anything after CAA, the issue is not here.

Example AAAA output:

dig domain.com AAAA
; <<>> DiG 9.10.3-P4-Ubuntu <<>> domain.com AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- oppre: QUERY, status: NOERROR, id: 50786
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN AAAA ;; ANSWER SECTION:
domain.com. 87 IN AAAA 2607:f8b0:4006:813::200e ;; Query time: 3 msec
;; SERVER: 67.207.67.2#53(67.207.67.2)
;; WHEN: Thu Mar 22 15:48:33 UTC 2018
;; MSG SIZE rcvd: 67

Here you're looking for an IPv6 address:

;; ANSWER SECTION:
domain.com. 87 IN AAAA 2607:f8b0:4006:813::200e

If the IPv6 address is there, remove it from your DNS entries. If everything looks good in those three steps, open a support ticket using the green help button in the MODX Cloud Dashboard or email support@modxcloud.com with the Internal URL of the Cloud having Let’s Encrypt errors.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.