menu

ZEIT

Our mission is to make cloud computing as easy and accessible as mobile computing. You can find our Next.js community here.

Channels
Team

Generating certificate error 409 (Conflict?)

February 24, 2020 at 5:17pm

Generating certificate error 409 (Conflict?)

February 24, 2020 at 5:17pm

Does anybody have an idea what is going on here and why I cannot assign an alias for a new domain?

➜ binaaz-react git:(pre) now alias https://binaaz-3e8e8a246.binaaz.qa/ ru.pre2.binaaz.qa Now CLI 17.0.4

Assigning alias ru.pre2.binaaz.qa to deployment binaaz-3e8e8a246.binaaz.qa ⠧ Generating a certificate...Error! An unexpected error occurred in alias: Error: Response Error (409) at Object.responseError [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2234661) at processTicksAndRejections (internal/process/task_queues.js:97:5) at /usr/local/lib/node_modules/now/dist/index.js:2:1838521 at i.default.retries (/usr/local/lib/node_modules/now/dist/index.js:2:3892136) at Object.createCertForCns [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2067591) at Object.createCertificateForAlias [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2475213) at Object.createAlias [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:3969445) at Object.assignAlias [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:4230359) at set (/usr/local/lib/node_modules/now/dist/index.js:2:4003413) at Se (/usr/local/lib/node_modules/now/dist/index.js:2:1728252)

February 24, 2020 at 5:19pm

Check the CAA records of the domain.

  • reply
  • like

Screenshot is better than a text above :)

  • reply
  • like

, domain is managed by zeit. Where can I check about CAA?

  • reply
  • like
  • reply
  • like
;; ANSWER SECTION:
binaaz.qa. 60 IN CAA 0 issue "letsencrypt.org"
  • reply
  • like

Okay, I have checked and it seems good

  • reply
  • like

do we need "issuewild"?

  • reply
  • like

Is this something you changed recently?

  • reply
  • like

Okay, I have added records:

➜ binaaz-react git:(pre) dig binaaz.qa CAA +short
0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"
  • reply
  • like

Still failing on generating certificate

  • reply
  • like

This may be related. As child domains inherit CAA configuration, it seems that "zeit.co" related CAA configuration is used:

➜ binaaz-react git:(pre) dig pre.binaaz.qa CAA
; <<>> DiG 9.10.6 <<>> pre.binaaz.qa CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52541
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pre.binaaz.qa. IN CAA
;; ANSWER SECTION:
pre.binaaz.qa. 26 IN CNAME alias.zeit.co.
alias.zeit.co. 1766 IN CAA 0 issue "letsencrypt.org"
;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Feb 24 19:45:24 EET 2020
;; MSG SIZE rcvd: 103
Edited
  • reply
  • like

As per letsencrypt, they say that 409 response means "Account already exists". Is there anything I can do to make it work again?

  • reply
  • like

Tried as well:

➜ binaaz-react git:(pre) now certs issue '*.pre.binaaz.qa' 'pre.binaaz.qa'
Now CLI 17.0.4
Error! An unexpected error occurred in certs: Error: Response Error (409)
at Object.responseError [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2234661)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at /usr/local/lib/node_modules/now/dist/index.js:2:1838521
at i.default.retries (/usr/local/lib/node_modules/now/dist/index.js:2:3892136)
at Object.createCertForCns [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2067591)
at Object.issue [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2448729)
at Se (/usr/local/lib/node_modules/now/dist/index.js:2:1728252)
➜ binaaz-react git:(pre) now certs issue 'pre.binaaz.qa'
Now CLI 17.0.4
Error! An unexpected error occurred in certs: Error: Response Error (409)
at Object.responseError [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2234661)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at /usr/local/lib/node_modules/now/dist/index.js:2:1838521
at i.default.retries (/usr/local/lib/node_modules/now/dist/index.js:2:3892136)
at Object.createCertForCns [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2067591)
at Object.issue [as default] (/usr/local/lib/node_modules/now/dist/index.js:2:2448729)
at Se (/usr/local/lib/node_modules/now/dist/index.js:2:1728252)
  • reply
  • like

, domain is managed by zeit. Where can I check about CAA?

now dns ls should give you that information. 409 = there is a CAA record somewhere that LE is unable to process.

Edited
  • reply
  • like

, I have never changed anything re CAA or DNS records for that domain.

  • reply
  • like