When I try to refresh/renew the Letsencrypt certificate on my domain using SSL It! I get an error like noted below. I'm the owner and hoster of the domain, so I have full control. Never had this issue before, and I can't find what exactly is wrong with the DNS settings/configuration.

My domain is: ruimtebot.nl

I ran this command: Update certificate from within plesk using the ssl-it extension

It produced this output:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/13036873672.

Type: urn:ietf:params:acme:error:dns

Status: 400
Detail: During secondary validation: DNS problem: SERVFAIL looking up TXT for _acme-challenge.ruimtebot.nl - the domain's nameservers may be malfunctioning

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

Thanks in advance!


The "secondary validation" failing implies that the primary validation worked, meaning that it worked from one of Let's Encrypt's main datacenters but not their cloud-based secondary sites. (They check that you own the name from several vantage points on the Internet, to ensure that you actually own the name.) Did this fail just once, or have you tried multiple times? You say "Never had this issue before", but it looks like you only have one prior certificate which is from a few days ago? Why do you need another one?

The only weird things I see about your DNS, which might or might not be related to your problem:

  1. Your "three" DNS servers for your name all have the same IP. This means you don't really have redundancy.
    DNSViz server list for ruimtebot.nl

  2. Your DNS server doesn't echo back the same capitalization that was requested. The Unbound DNS server that Let's Encrypt uses does DNS-0x20 case randomization to help mitigate some possible DNS attacks, so it's actually requesting something like _AcMe-chALleNge.ruImTeboT.nL. But when I run

    dig +norecurse +bufsize=512 TXT _AcMe-chALleNge.ruImTeboT.nL @2a01:7c8:aabf:137::1

    I see

    ;_AcMe-chALleNge.ruImTeboT.nL.  IN      TXT
    _acme-challenge.ruimtebot.nl. 86400 IN  TXT     "4AQIG1-aEomrNnYtQ9D75idvVmDm_tQ9Y3Z8ILavDfg"

    Which has the response all-lowercase. Most DNS servers echo the capitalization back. But again, I'm not sure if that's related to your problem, as it looks from your error message that the primary validation may have worked.


Are you using anything like fail2ban ?


The current domain just has a certificate for the root name not a wildcard one.
I host multiple sites on this server but haven't had any issue's on the domain/dns validation.
It's true that the DNS names direct to one IP, I'm working on redundancy but still no time to build 2 other DNS servers.

So I find it a bit weird that the validation isn't accepted.
I don't understand why Letsencrypt isn't getting a result on some servers.


I do use Fail2ban, but I never had an issue with it before.
The server that currently host's the webpage and domain/dns didn't have any issues in the past 2 year's.

If there is a list of the letsencrypt verification servers I can try to exclude them from the fail2ban.


There is no list; Let's Encrypt uses various cloud services to check that your DNS (and the site itself if not using DNS-01) is accessible from everywhere on the Internet, as it's the only way to ensure that you actually own the name as seen from everywhere on the Internet. It looks like a bunch of IPs at once hammering your system, so you might want to look in your logs and see if you're blocking some traffic at the time that you're trying the challenge. You need to ensure that your DNS is unblocked from everywhere on the Internet in order to get a Let's Encrypt certificate.


If all three DNS name servers resolve to the same IP.
Then the concurrent LE checks to them would get multiplied by three to the same IP.
[which might seem excessive or as an attack to Fail2Ban]


It indeed was Fail2Ban....
Never had this issue before, but now I know.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.