Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: 4no1.net
I ran this command:
certbot renew
It produced this output:
DNS problem: SERVFAIL looking up A for 4no1.net - the
domain’s nameservers may be malfunctioning
My web server is (include version):
Server version: Apache/2.4.25 (Raspbian)
Server built: 2019-10-13T15:43:54
The operating system my web server runs on is (include version):
NAME=“Raspbian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”
VERSION_CODENAME=stretch
My hosting provider, if applicable, is:
Myself
I can login to a root shell on my machine (yes or no, or I don’t know):
YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO control panel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0
There's not really much more to explain which isn't already covered on the DNSViz URI I pasted above. If you hoover over the triangular icons with the exclamation mark, you'll see the actual error messages.
The main error (in the graph pointed out by the big red error from the "net" zone to your domain) is:
No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.
Looks like your old DNS provider had DNSSEC support, your new not. Then the result is expected.
Check, if you can recalculate your DNSSEC. If that isn't possible, check, if you can remove DNSSEC.
PS: The parent zone says, you have a working DNSSEC. But your zone doesn't send the correct DNSKEY RR. So your DNSSEC is broken. Or there is a man in the middle. But in most cases, it's a buggy configuration.
Thanks for your reply. Me vendor says is obligatory de DNSSEC in .net. However I thinls this is new because in the las 2 years I can use my domain whithout problem until I need renew in this thre mounts. I don't know how can i fix it
DNSSEC is excellent. But it's the job of the DNS provider to create a working solution.
Normally, it's only a "one click thing" - the client (you) can it activate or deactivate. The DNS provider creates the correct DS and DNSKEY or removes the DS in the parent zone.
-->> Ask your DNS provider why your DNSSEC is broken. They have to fix ist.
My vendor for 4no1.net is akky.mx
My DNS provider is CDMON, do you know other DNS provider? because I have a dinamic IP and CDMON is so easy configuration. but I only can create a A name forma my domain and sub domain. and MX But I can’t create another kind enter in the DNS.
Or I have other 3 points with Debian servers I would create my own DNS. But I can’t remember the name for this kind the DNS to replicate in the world.
Do you know the name for this dns and search information to create my own dns.
Dear JurgenAuer. Thanks a lot for graet light to show me today. In this moment I can resolve my issue. But I will read more about DNSSEC. To try use this new one for me. But in this moment I can renew my certificates.
Again Thanks a lot.
P.S. In this moment I need erease DS records. But I will be try DNSSECC when understand the whole process. I need read more about DNSSEC
