Could not issue a Let's Encrypt SSL/TLS certificate

My domain is:

I ran this command: installing lets encrypt cert on domain

It produced this output: An issue occurred while securing the domain

Could not issue a Let's Encrypt SSL/TLS certificate for Authorization for the domain failed.
Invalid response from
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: SERVFAIL looking up A for - the domain's nameservers may be malfunctioning

My web server is (include version): Plesk Onyx 17.8.11 Update #92

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS‬

My hosting provider, if applicable, is: 1&1 (fasthosts)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx 17.8.11 Update #92

Thanks in advance.

1 Like

Welcome to the Let's Encrypt Community, Dan :slightly_smiling_face:

It looks like the DNS servers for have some very serious issues.

1 Like

Thanks for your reply. This domain was originally bought through Google Domains and transferred to tsohost. I have spoken to tsohost, and had them double check the domains configuration but said everything is good. They also don't have/use DNSSEC. What's the next step?

1 Like

I am able to visit your site and see the content. Every tool I use fails though. :thinking:

I'm going to poke at someone with a much greater experience here. He may not be around right now, so please give him some time.


Any thoughts here?

1 Like

Your domain has DNSSEC enabled at the registration level:

$ dig +noall +answer ds   3600    IN      DS      17491 8 2 AA94B090BA6811E7A692527C9C89E55C007F7202C92F98584F584104 DABB6E56

If you transferred the registration to tsoHost from Google, it's possible the DNSSEC configuration arrived during the transfer without them realizing.

Only you (via your domain registrar) can remove the DNSSEC configuration. Try tsoHost support again, and show them the above query.


Thanks so much for your help. I will get back to tsoHost tomorrow morning.


Thanks, @_az. :slightly_smiling_face:

1 Like

I have been able to chat to tsoHost and they said:

"I have double-checked and it appears that the DNSSEC cannot be disabled from our end and a possible workaround would be to use an external DNS zone instead of ours.

"There is no DS record in our active zone."

Would I need to contact Google domains instead perhaps, or as tsoHost suggested, update the nameservers and point them to the DNS zone of the provider that is currently hosting the website?

1 Like

DNSSEC cannot be disabled from our end

What :expressionless: ? They are the registrar for your domain. They are literally the only ones who can disable it.

Transfer your domain away to a competent registrar.

1 Like

Then they are not looking in the right place:

Does your DNS control panel have a section for DNSSEC?

1 Like

Would changing the Nameservers in tsoHost to say Cloudflare to manage the DNS resolve this? I know they use DNSSEC and you can configure it in their control panel.


To any other DNS provider - they all do it.
[edit: domain registrar]

1 Like

Thanks for your reply. No, there is no DNSSEC section in the control panel - thinking of changing the nameservers to Cloudflare, they have a DNSSEC control panel?


I don't use CF for DNS.
But they should have it.
If they don't (which I doubt), you can also use something like:

1 Like

Changing your nameservers isn't going to help.

DNSSEC is enabled at the registry level, this is Nominet, who operate the .uk ccTLD.

Your registrar (tsoHost) has to tell Nominet to disable it. This is usually done programatically.

You can't work around it any other way.


I must be half asleep = So true!
You will need to transfer the domain to a registrar that supports DNSSEC.


I got back in touch with tsoHost and apparently now they have disabled DNSSEC! This team member seemed to be more knowledgeable - thanks to the information you guys @rg305 and @_az supplied.

I ran the "dig" command above for and it came up empty, so I guess it worked? Just need to wait a few hours for it to propagate they said.


I'm glad you got a better support rep :slight_smile: .

Yes, I think you should be able to issue a certificate now.


So they ARE a real registrar ! ! !

[that's what happens when you let the "new guy" answer the phone]


Cert issued - thanks again