Acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: SERVFAIL looking up A for mail.itmagazineme.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: itmagazineme.com

I ran this command: Issue a certificate (new one)

It produced this output:acme: error code 400 “urn:ietf:params:acme:error:dns”: DNS problem: SERVFAIL looking up A for mail.itmagazineme.com

My web server is (include version): no idea

The operating system my web server runs on is (include version): no idea

My hosting provider, if applicable, is: fastcomet

I can login to a root shell on my machine (yes or no, or I don’t know): sure

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Your domain has a DNSSEC misconfiguration: https://letsdebug.net/mail.itmagazineme.com/238115

You have DNSSEC enabled at your domain registrar (the domain has a DS record), but your nameservers are not configured with DNSSEC (there is no DNSKEY record).

You can either disable DNSSEC at your registrar, or complete your DNSSEC setup.

1 Like

I guess I must be on the slow side of the planet/Internet…
I can’t seem to even get a NS record for that domain name.

OK I see them in: https://lookup.icann.org/lookup

I like to use +trace to avoid propagation issues. Granted, it still might happen with the cc/gTLD servers due to anycast, but much less likely IME:

dig +trace itmagazineme.com dnskey
3 Likes

DNSViz paints that into a nice simple picture:
https://dnsviz.net/d/itmagazineme.com/dnssec/

1 Like