ACMESharp - HTTP Challenges not Completing Due to DNS Server

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:Submit-ACMEChallenge webapi-sazka7 -ChallengeType http-01

It produced this output:
IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier :
Uri :
Status : invalid
Expires : 6/15/2017 8:08:18 AM
Challenges : {, , }
Combinations : {1, 0, 2}

My web server is (include version): IIS 8.5

The operating system my web server runs on is (include version):Windows Server 2012 R2

My hosting provider, if applicable, is:DNSMADEEASY

I can login to a root shell on my machine (yes or no, or I don’t know):No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

I am receiving that there is a problem resolving the DNS, however the records are resolved by any DNS lookup tool.

Please advise.

I think this should have included the full name:

This is only the alias not the DNS record, you can see in the response that there is a resolve problem:
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: SERVFAIL looking up A for”,
“status”: 400

There is the problem.
But it doesn't make sense the DNS for your domain is serviced by: internet address = internet address = internet address = AAAA IPv6 address = 2600:1802:14::1 internet address = AAAA IPv6 address = 2600:1801:13::1 internet address = internet address =

I checked all the IPv4 server IPs and they all resolved that name as:

I don't know how to proceed - sorry.


You should review the DNSSEC conf for your domain because it is not configured properly and that can cause the error you are getting.


This is weird, I have delegation for this domain and I manage to get 2 other DNS records verified under the same domain.

How can I check if the problem is on my NS servers or the the person who gave me delegation did not set it correctly?



Hi @ohadrh,

What domains?. because there are certificates issued by Let's Encrypt for (with 1 subdomain), (with 3 more subdomains) and and all of them are resolved directly by dns servers. Now, has been delegated and it is resolved by name servers but you didn't prepare this child zone to use DNSSEC.

In the first link I provided to you you will see the problems you need to resolve:

  1. No DS records found for in the zone
  2. No DNSKEY records found
  3. No NSEC records in response
  4. No RRSIGs found


There’s nothing inherently wrong with a signed-to-unsigned delegation. (After all, the root zone is signed, and many other zones aren’t.) The problem is doing it incorrectly, which is, i suppose, what the red errors on DNSViz are about.

1 Like

I managed to to submit a request for and

You can see the request here:

hi @ohadrh

Neither of your domains seemed to be configured well on your DNS

If i try browse to I can a timeout.

You are trying to use the HTTP challenge so something needs to be listening for that domain and DNS should be configured to work.

It can be frustrating that a previous challenge worked but I don’t believe if you try to pass it now it would work.



I closed the access to these URLs so you won’t be able to browse.
All of my other delegated domain ( I have about 10 of them ) are configured the same as this one and i managed to generate a certificate for all of them except this one.

This is very weird, haven’t encountered this issue yet.

all good

test the access from somewhere that is allowed and see if you can browse in a browser


I’ve tested all the endpoint and you can browse to them from all over the world once i allow the connection in the FW ( which I have when i tried to generate the certificate)

I found this on DNSMADEEASY website:
DNS Made Easy does provide support for DNSSEC using our secondary DNS service. We do not provide support for DNSSEC using our primary DNS service at this time. As more resolving name servers implement support for this feature, DNS made Easy will implement DNSSEC compliance on our primary systems as well.

I’ve also tested my other domains which are also hosted on DNSMADEEASY on the dnssec debgger site and all of them have the same issues as but I managed to create a certificate for them.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.