Certbot not able to verify .co.in domain - DNSSEC error

PFB details--

My domain is: pinakis.co.in

I ran this command: certbot certonly --manual --preferred-challenges=dns --server=https://acme-staging-v02.api.letsencrypt.org/directory --agree-tos -d pinakis.co.in

It produced this output:
Challenge failed for domain pinakis.co.in
dns-01 challenge for pinakis.co.in
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: pinakis.co.in
    Type: dns
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.pinakis.co.in - the domain's nameservers may be

My web server is (include version): NA

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: GoDaddy - InfinityFree

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Your DNSSEC is malfunctioning. See for more information: https://dnsviz.net/d/pinakis.co.in/dnssec/

Note that this is not limited to Let's Encrypt and not limited to the TXT record Let's Encrypt uses for the dns-01 challenge. All DNSSEC-enabled DNS resolvers will return SERVFAIL for lookups to your domain, so in essence all services through DNS are down for those users.

Note 2: is there a particular reason why you're using the manual plugin with the dns-01 challenge? You're not requesting a wildcard certificate, so why not use the http-01 challenge through the standalone plugin, if you don't have a webserver running yourself?

1 Like

Hi @pinakispecial

see your check - ~10 minutes old - https://check-your-website.server-daten.de/?q=pinakis.co.in


Your parent zone says, you use DNSSEC.

But your zone isn't signed, there is no DNSKEY with the values of the parent zone.

So Letsencrypt can't validate your domain.

Update your zone informations or (not so good) disable DNSSEC.

PS: That

will not work. The check has found an aes.js script, so the hoster blocks /.well-known/acme-challenge with that script.

But the DNSSEC is fundamental.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.