This is only the alias not the DNS record, you can see in the response that there is a resolve problem:
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: SERVFAIL looking up A for webapi.pre-uat.sazka.cz”,
“status”: 400
What domains?. because there are certificates issued by Let's Encrypt for msh.sazka.cz (with 1 subdomain), nebe.sazka.cz (with 3 more subdomains) and sazimenasport.sazka.cz and all of them are resolved directly by sazka.cz dns servers. Now, pre-uat.sazka.cz has been delegated and it is resolved by dnsmadeeasy.com name servers but you didn't prepare this child zone to use DNSSEC.
In the first link I provided to you you will see the problems you need to resolve:
No DS records found for pre-uat.sazka.cz in the sazka.cz zone
There’s nothing inherently wrong with a signed-to-unsigned delegation. (After all, the root zone is signed, and many other zones aren’t.) The problem is doing it incorrectly, which is, i suppose, what the red errors on DNSViz are about.
I closed the access to these URLs so you won’t be able to browse.
All of my other delegated domain ( I have about 10 of them ) are configured the same as this one and i managed to generate a certificate for all of them except this one.
This is very weird, haven’t encountered this issue yet.
I’ve tested all the endpoint and you can browse to them from all over the world once i allow the connection in the FW ( which I have when i tried to generate the certificate)
I found this on DNSMADEEASY website:
DNS Made Easy does provide support for DNSSEC using our secondary DNS service. We do not provide support for DNSSEC using our primary DNS service at this time. As more resolving name servers implement support for this feature, DNS made Easy will implement DNSSEC compliance on our primary systems as well.
I’ve also tested my other domains which are also hosted on DNSMADEEASY on the dnssec debgger site and all of them have the same issues as pre-uat.sazka.cz but I managed to create a certificate for them.