Issue with DNS propagation / DNSSEC issue

nivomix · November 17, 2023, 9:50am

Hello,

I have some issue with DNS propagation on domain nivomix.be, it is stuck in half way and I cannot request SSL (on another service). Probably person who was transferring domain forgot to disable DNSSEC before domain transfer.

nivomix · November 17, 2023, 9:52am

What I should do? (since DNSSEC is already disabled on Cloudflare)

sjr · November 17, 2023, 10:00am

nivomix.be is not proxied and requests go direct to your origin. However, your origin certificate is for *.closte.com. Ignoring that, I can connect ok. You need a certificate for *.nivomix.be

curl -Ivv https://nivomix.be
*   Trying 35.204.252.203:443...
* Connected to nivomix.be (35.204.252.203) port 443 (#0)
....
* Server certificate:
*  subject: CN=*.closte.com
*  start date: Jun 12 00:00:00 2023 GMT
*  expire date: Jun  5 23:59:59 2024 GMT
*  subjectAltName does not match nivomix.be
* SSL: no alternative certificate subject name matches target host name 'nivomix.be'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'nivomix.be'

curl -I --insecure https://nivomix.be
HTTP/2 200
content-type: text/html; charset=UTF-8
link: <https://nivomix.be/wp-json/>; rel="https://api.w.org/"
link: <https://nivomix.be/wp-json/wp/v2/pages/2>; rel="alternate"; type="application/json"
link: <https://nivomix.be/>; rel=shortlink
cache-control: no-cache, must-revalidate, max-age=0
x-cacheable: yes
etag: "1231-1700158094;;;"
x-litespeed-cache: hit
date: Fri, 17 Nov 2023 09:57:44 GMT
server: LiteSpeed
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

nivomix · November 17, 2023, 10:24am

SSL can be requested only via web interface and can probably happen only after fixing “DNSSEC validation failure”

https://dns.google/query?name=nivomix.be&rr_type=A&ecs=
https://www.whatsmydns.net/#A/nivomix.be

sjr · November 17, 2023, 10:29am

That’s a separate problem. You will need to add the DS records at your registrar.

system · December 2, 2023, 10:30am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.