I have been learning the basics of AWS Lightsail and Route53 so that I can move from the GoDaddy Hosting platform and start saving money and taking more control over websites/hosting and it looked like AWS was the best platform to do this.
AWS is pretty cool, but it is pretty complicated especially if you aren’t a computer coder to begin with, but they make it just easy enough for hobbyists to try it out.
So I had registered and set up a few Domains in AWS Lightsail and also had the DNS records in Route53 just so I could see how that works also. It’s probably better to just keep everything in Lightsail unless you need the more robust DNS functions of Route53, having the same DNS records set up on both can make things more confusing because you need to make sure the info. matches on both systems, but because I was just using them as demos to learn how they work I had my DNS records set up on both.
One of the main reasons I want to move from GoDaddy to a more D.I.Y. setup is cost. To get an SSL certificate for one Domain on GoDaddy is like $80 a year, but I found out if I installed one manually I could get one from namecheap.com for $29.95 that lasts for 5 years, so I thought this was a much better deal, even though it was kind of a hassle to install it manually on GoDaddy. But then I was looking at what a SSL certificate would cost on AWS Lightsail, and it appeared that I could use the free “Let’s Encrypt SSL certificate with the Bitnami stack using the Bitnami bncert-tool”, so I was psyched to try and figure that out.
As usual I went to the tried and true YouTube to figure out the basics for this free “Let’s Encrypt SSL certificate with the Bitnami stack using the Bitnami bncert-tool” and found this video that explained the basics: https://youtu.be/X9xW6xQw4CE It looked pretty easy and straightforward so I went about following the video on my own Lightsail instances, but whenever I would try and do it I would get an error message:
“The domain resolves to a different IP address than
the one detected for this machine, which is ‘–.–.–.—‘. Please fix its DNS entries or remove it.”
Well I tried every DNS checker I could find: leafdns.com, dnschecker.org, whatsmydns.net, etc. and they all showed my Domains pointing to the correct IP addresses, so I figured it must be something else. One article I found about this error suggested it was just because it takes time for the DNS records to propagate, but nowadays that happens pretty fast, so that wasn’t it. Then I thought it might be because I had DNS records in both Route53 and Lightsail and that even if they were identical this might be causing a problem, but that wasn’t it either. Then I saw an article about how to install the free “Let’s Encrypt SSL certificate with the Bitnami stack using the Bitnami bncert-tool” without validating the DNS records, but that didn’t work either, I was getting pretty frustrated and it was about 1AM in the morning by this time and figured I would go to bed and work on it later.
Well I couldn’t sleep much and woke up at 5AM and kept researching why I kept getting the error message:
“The domain resolves to a different IP address than
the one detected for this machine, which is ‘–.–.–.—‘. Please fix its DNS entries or remove it.”
Finally I noticed something at the bottom of an AWS document that said:
“The bncert-tool is supported only on 64-bit Linux operating systems. You can’t use it with IPv6 addresses or to configure HTTPS certificates for NGINX web servers.”
And I figured that was the problem because I had the IPv6 addresses enabled for my Domains, so I immediately disabled them and removed all the IPv6 DNS records and tried the free “Let’s Encrypt SSL certificate with the Bitnami stack using the Bitnami bncert-tool” and it worked perfectly!
So to make a long story short you need to disable and remove any IPv6 DNS records for the free “Let’s Encrypt SSL certificate with the Bitnami stack using the Bitnami bncert-tool” to work.
It looks like in the future Bitnami will allow this to work with IPv6 Domain addresses because they are the future of IP addresses, but for now it only works with IPv4 addresses. I wish this basic issue/fix was a bit more clear somewhere, live and learn.
So after I installed this free “Let’s Encrypt” SSL certificate I enabled the IPv6 addresses and added them to the DNS records and it didn’t seem to affect the installed SSL certificate, hopefully it will be able to renew without having to disable the IPv6 addresses and remove the DNS records.
-Gordon W.