The LetSenCrypt certificate for a .com.mx domain hosted on Digital Ocean (on a droplet) expired, and I couldn't re-register it. I was getting the error "DNSSEC: DNSKEY Missing" and that IPv6 wasn't configured. Below I'll go through what I discovered step by step:
1- First I added some AAAA records and configured the IPv6 address for the droplet to work, but it didn't work (although this helped later).
2- I discovered that in the domain configuration at AKKY (the Mexican company that manages MX domains), they had added an option called REGISTRO DS (Delegation Signer), which adds the data for a KSK key, which adds security to the domain registration. The problem is that this option, which appears to be the same as DNSSEC, is not compatible with Digital Ocean's DNS, so I had to delete that record.
3- Checking the DNS connection on a site called DNSViz, it indicated that it was already configured. The DNS issue was resolved.
4- The certificate still wasn't generated, but the error changed to one indicating that IPv6 was not authorized. All I did was add IPv6 to the NGINX server definition so it would use IPv6 along with IPv4.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # Listen on all available IPv6 addresses on port 443
server_name your_domain.com www.your_domain.com;
... other configurations
}
With that, the certificate renewal worked, and the domain was visible again.
Spanish version AKKY, DIGITAL OCEAN Y CERTIFICADOS letsencrypt.
A un dominio .com.mx hospedado en digital ocean (en un droplet) se le venció el certificado de letsencrypt y no podia volver a registrarlo me marcaba el error :DNSSEC: DNSKEY Missing" y que ipv6 no estaba configurado. a continuación voy por pasos lo que fui descubriendo:
1- agregue unos records AAAA y configure la dirección ipv6 para que funcionara el droplet, pero no funciono (aun que mas adelante esto me sirvio).
2- Descubri que en al configuración del dominio en AKKY (la empresa mexicana que administra los dominios mx) agregaron una opción que se llama REGISTRO DS (Delegation Signer) y que agrega los datos de una llave ksk que agrega seguridad a el registro del dominio. El problema es que esta opción que parece ser lo mismo que DNSSEC, no es compatible con el DNS de Digital ocean asi que tuve que borrar ese registro.
3- Revisando la conexion de dns en un sitio que se llama DNSViz me indicaba que ya estaba resuelto el problema del DNS.
4- El certificado de todas manera no se generaba, pero cambio el error a uno en el que me indicaba que la ipv6 no esta autorizada. Lo unico que hice fue agregar en la definición del servidor NGINX para que usara ipv6 junto con ipv4
server {
listen 443 ssl http2;
listen [::]:443 ssl http2; # Listen on all available IPv6 addresses on port 443
server_name your_domain.com www.your_domain.com;
... other configurations
}
con eso ya funciono la renovación de certificado y el dominio se volvio a ver.
Top comments (0)