Certificate cant create from please. Dns ERROR

yedekmatik · December 6, 2020, 6:13pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kozmetiktoptancisi.com

I ran this command: when i did create a certificate from plesk controll planel.

It produced this output:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/9118420502.

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: During secondary validation: DNS problem: query timed out looking up A for kozmetiktoptancisi.com

griffin · December 6, 2020, 6:30pm

Welcome to the Let's Encrypt Community

That error means that the Let's Encrypt main server successfully reached kozmetiktoptancisi.com to get an authentication file, but some Let's Encrypt secondary servers could not reach kozmetiktoptancisi.com. Please try again to see if the problem persists.

JuergenAuer · December 6, 2020, 6:50pm

Hi @yedekmatik

one of your name servers is buggy - see https://check-your-website.server-daten.de/?q=kozmetiktoptancisi.com

2020-12-06.kozmetiktoptancisi.com

There is a timeout checking EDNS. And your zone definitions are inconsistent.

Fatal: Inconsistency between delegation and zone. The set of NS records served by the 
authoritative name servers must match those proposed for the delegation in the 
parent zone.: ns1.kozmetiktoptancisi.com (188.132.179.100): Delegation: 
ns13.fiberserver.com, ns14.fiberserver.com, Zone: ns1.kozmetiktoptancisi.com, 
ns2.kozmetiktoptancisi.com. Name Servers defined in Delegation, missing in Zone: 
ns13.fiberserver.com, ns14.fiberserver.com.Name Servers defined in Zone, 
missing in Delegation: ns1.kozmetiktoptancisi.com, ns2.kozmetiktoptancisi.com.

Effektive only one ip address works. May be fix your delegation and remove the not working ns14 server.

May be there are some random timeouts, so the first DNS check works, one of the secondary not.

And your website

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
kozmetiktoptancisi.com	A	188.132.179.100 Eyüpsultan/Istanbul/Turkey (TR) - Sadecehosting Hostname: win1.fibersunucu.com.tr	yes	3	2
	AAAA		yes
www.kozmetiktoptancisi.com	CNAME	kozmetiktoptancisi.com	yes	1	0
	A	188.132.179.100 Eyüpsultan/Istanbul/Turkey (TR) - Sadecehosting Hostname: win1.fibersunucu.com.tr	yes

has the same ip address, 3 queries, so 2 didn't work. That's a fatal dns configuration.

rg305 · December 6, 2020, 9:43pm

If you follow the DNS tree, the root servers show these two DNS servers as authoritative for your domain:

nslookup -q=ns kozmetiktoptancisi.com j.gtld-servers.net
kozmetiktoptancisi.com  nameserver = ns13.fiberserver.com
kozmetiktoptancisi.com  nameserver = ns14.fiberserver.com
ns13.fiberserver.com    internet address = 188.132.179.100
ns14.fiberserver.com    internet address = 188.132.179.101

If you ask either of those two, they say otherwise:

nslookup -q=ns kozmetiktoptancisi.com ns13.fiberserver.com
kozmetiktoptancisi.com  nameserver = ns2.kozmetiktoptancisi.com
kozmetiktoptancisi.com  nameserver = ns1.kozmetiktoptancisi.com
ns2.kozmetiktoptancisi.com      internet address = 188.132.179.100
ns1.kozmetiktoptancisi.com      internet address = 188.132.179.100

One could argue that the IPs are the same (included in the root reply).
But that is inconsequential.
The names are NOT the same and this creates a DNS problem.

system · January 5, 2021, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.