Could not issue a Let’s Encrypt SSL/TLS certificate on any web server

My domain is:

I ran this command:

Secure Plesk with a free SSL/TLS certificate

It produced this output:
Could not issue an SSL/TLS certificate for

Could not issue a Let's Encrypt SSL/TLS certificate for Authorization for the domain failed.


Invalid response from


Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: Fetching Timeout during connect (likely firewall problem)

My web server is (include version):

Server version: Apache/2.4.52 (Ubuntu)
Server built: 2022-09-30T04:09:50

The operating system my web server runs on is (include version):

IP address (


Ubuntu 22.04.1 LTS


Plesk Obsidian
Version 18.0.49 Update #1, last updated on Dec 21, 2022 10:52 AM

My hosting provider, if applicable, is:
I run the service on my server and manage the VSP

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

This is your problem. Make sure Apache is listening on port 80, and there's no firewall (on your server, at your ISP, or anywhere else) blocking connections to port 80.


I turned off all firewalls up to my ISP connection and still have the same. my ISP says thy don't block anything because I have a Bisnes Internet with IPs.

When I test my site using " - Make your website better - DNS, redirects, mixed content, certificates" It is all green.

You need to read that output more carefully--it's telling you you have DNSSEC issues (which confirms: Let's Debug), and that connections to your site time out.


ok how can I fix it? there are no followable instructions any where. they all read like now to set your clock instructions on a VCR from the 70s.

1 Like

This says for not - Not the same server/host/ip.

Bitmap: A, NS, SOA, MX, TXT, RRSIG, NSEC, DNSKEY Validated: RRSIG-Owner, Algorithm: 13, 2 Labels, original TTL: 3600 sec, Signature-expiration: 05.01.2023, 00:00:00 +, Signature-Inception: 15.12.2022, 00:00:00 +, KeyTag 4742, Signer-Name:

Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC covers the Query Name, but there are not enough informations about wildcards: NoError - there must be a confirmed wildcard expansion to create the query name. Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC-Records, so DNSSEC works.

That would be a question to direct to your DNS host.


hmmm, I am using google

No, you aren't. The DNS host who is providing that service for your domain, not whatever DNS server your client machine is connecting to.


my apologies, I am new to DNS so I have no clue what the difference is. so I own and run all the servers and services.

Again, this is incorrect. Your DNS hosting is being done by Network Solutions, who is also your domain registrar; you are not hosting that yourself. You could do that, but it isn't necessary, and I don't think I'd recommend it. So, you can ask Network Solutions how to fix their DNSSEC, or you can consider using a different DNS host. For the latter, I use Cloudflare. They're free for DNS service (they have other services which they charge for, but DNS is free), and they seem to work well.


I am the registrar in Networksoultions for all my domain names.

The odd thing is it worked once but wont "renew" and no new websites will register and nothing has changed on the server or networksoultions.

No, you are not the registrar. Network Solutions is the registrar. You may be the registered owner (I can't see that, but I trust it's the case), but not the registrar.


sure, I buy and sell domain names and completely manage them in networksoultions and SRS. I just need what letsencrypt is looking for and an example of what to put in DNS like:
create a TXT record like "" and so on.

I do thank you for all your help and feedback!

1 Like

To check the DNS see the site (link here). If you try looking up a CAA or AAAA record you will get a SERVFAIL. These are not required but the DNS server should return "not found" and not SERVFAIL. We recently had a similar problem with another person who was using Network Solutions. You will need to work with them on this problem.

I link it here only as reminder for other volunteers

  • Working DNS (including DNSSEC if you're using it) is essential for any validation method. You don't need to use DNSSEC, but if you're using it, it must be configured properly, and that looks like it's the most fundamental problem with your domain right now.
  • Second, if you're using HTTP validation, your server must respond on port 80. This is also a problem with your domain right now.

DNSSEC might be something you can add and remove records from your DNS zone control panel.
If the problem is "lower" than that, then only the DNS server admin [Network Solutions] can fix it.

Can you enable/disable DNSSEC on this zone?


I can only select or deselect Allowed algorithms for key generation or change Key Signing Key (KSK) Types and Zone Signing Key (ZSK)

this is all I have in the software:

DNSSEC Settings

These settings are used by default when DNS zone owners sign their zones. DNS zone owners can specify custom DNSSEC settings for their DNS zones.

Allowed algorithms for key generation
Key Signing Key (KSK)
Default algorithm

Default key size
Default rollover period

Zone Signing Key (ZSK)
Default algorithm

Default key size
Default rollover period


This is bad:

I'd choose: