Could not provision a Let’s Encrypt certificate

Hee guys,

I just made my first site with gatsby and netlify cms on netlify. Its up and running on lefgroningen.nl and the netlify domain is lefgroningen.netlify.com. I’m trying to install ssl on my custom domain. The verification succeeds but when i click provision certificate it gives me an error: ‘We could not provision a Let’s Encrypt certificate for your custom domain’.
Could anyone help me with this?
the domain is registered at transip.nl and the dns are apparently correctly configured as the is live and reachable. Still the ssl cant be installed and i cant figure out why.

hope you guys can help.

Self-hosted or GitLab/Hub/…? Also, just in case the DNS have not fully propagated after your Netlify config, do you mind manually checking using dig @8.8.8.8 lefgroningen.nl? If the query resolves to the IP address assigned to your site via Netlify, then that’s not the issue. Do you have DNS CAA records set? If so, are they correct (allow letsencrypt.org to issue your site a wildcard TLS cert)? Barring any misconfiguration on your end, and I doubt there is any, I would allow for time. Netlify’s service acts as middleware of a type for what would otherwise be controlled via certbot / acme, so Netlify’s issuance of certs relies on Let’s Encrypt’s heavily used infrastructure.

1 Like

its hosted from github. The dig commands gives me the the following answer

;     <<>> DiG 9.10.6 <<>> @8.8.8.8 lefgroningen.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1383
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lefgroningen.nl.               IN      A

;; ANSWER SECTION:
lefgroningen.nl.        299     IN      A       104.198.14.52

;; Query time: 55 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Mar 01 10:04:53 CET 2020
;; MSG SIZE  rcvd: 60

I do not have a CAA record in my dns config. So it should just take some time? @intr0

Perhaps. Though 104.198.14.52

(Attachment publicKey - admin@intr0.com - 2ddd6b45.asc is missing)

its working now :slight_smile: might be because i hadn’t changed the nameservers over at transip as i was worried the email traffic wouldn’t go through anymore. But it’s all working now and and the ssl is installed.

thanks for rubber ducking :smiley:

Here’s some further info for you:

https://www.abuseipdb.com/check/104.198.14.52 shows you the reports.

I checked the IP for a site of my own that uses Netlify and it to has been reported as you can see here:

https://www.abuseipdb.com/check/206.189.73.52 - I just requested a takedown, which you can do for yours as well, regardless of cert provisioning. The main barrier, however, is the recent malicious activity originating from your IP, even yours, as well as mine, have low confidence scores as sources for malicious activity.

Peace.

(Attachment publicKey - admin@intr0.com - 2ddd6b45.asc is missing)

Apologies for the multiple replies, however I noticed something odd when I performed a dig for your domain. I received multiple IPs with each repeated dig, which I did as the first returned an IP that did not match the one you reported from your own dig. I did eventually receive an answer to my query that matched the IP you received from your dig, though a dig should not return different IPs, especially IPs that are outside of any one specific IP block - 192.168.0.0/16 for example - for repeated queries. So, that’s definitely something to look into.

(Attachment publicKey - admin@intr0.com - 2ddd6b45.asc is missing)

Oh good! I’d request that takedown, though. I’m glad you’ve got the cert provisioned.

(Attachment publicKey - admin@intr0.com - 2ddd6b45.asc is missing)

thanks for all your help, @intr0!