The operating system my web server runs on is (include version): Windows Server 2012R2
My hosting provider, if applicable, is: Network Solutions but DNS Server is ours
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certify SSL/TLS Certificate Manager 5.0.12.0
Thank you for your explanation, i have added all entries “issue” and “issuewild” for *.gammaconsult.com and for gammaconsult.com. Would you please check again if it work, so I can try to request?
Here’s what a normal response from the gTLD nameservers looks like:
Frame 2: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits) on interface eth0, id 0
Ethernet II, Src: Cisco_0d:97:c1 (84:78:ac:0d:97:c1), Dst: f2:3c:91:a2:6a:56 (f2:3c:91:a2:6a:56)
Internet Protocol Version 6, Src: 2001:503:eea3::30, Dst: 2600:3c03::f03c:91ff:fea2:6a56
User Datagram Protocol, Src Port: 53, Dst Port: 39980
Domain Name System (response)
Transaction ID: 0x8af6
Flags: 0x8100 Standard query response, No error
Questions: 1
Answer RRs: 0
Authority RRs: 2
Additional RRs: 3
Queries
Authoritative nameservers
Additional records
ns.GAmmaConSult.CoM: type A, class IN, addr 176.111.52.245
ns2.GAmmaConSult.CoM: type A, class IN, addr 176.111.52.243
<Root>: type OPT
[Request In: 1]
[Time: 0.063429679 seconds]
Here’s what Unbound is receiving:
Frame 89: 541 bytes on wire (4328 bits), 541 bytes captured (4328 bits) on interface eth0, id 0
Ethernet II, Src: Cisco_57:aa:c1 (84:78:ac:57:aa:c1), Dst: f2:3c:91:a2:6a:56 (f2:3c:91:a2:6a:56)
Internet Protocol Version 4, Src: 192.12.94.30, Dst: 172.104.24.29
User Datagram Protocol, Src Port: 53, Dst Port: 35649
Domain Name System (response)
Transaction ID: 0xe574
Flags: 0x8010 Standard query response, No error
Questions: 1
Answer RRs: 0
Authority RRs: 7
Additional RRs: 1
Queries
Authoritative nameservers
Additional records
<Root>: type OPT
[Request In: 78]
[Time: 0.020171440 seconds]
Note the missing 2 additional glue records in the latter packet.
(Some of the other numbers are different because DNSSEC was enabled in one but not the other, but I’ve tried disabling DNSSEC validation and it makes no difference).
You have DNSSEC setup at your domain registrar and your DNS host, which is fine.
Only problem is, at your domain registrar (web.com I think), you have DNSSEC setup 4 times - 4 different keys. This is causing problems for Let’s Encrypt’s resolver.
You are probably only using one of the DNSSEC keys. You should delete the 3 you are not using.
In my config I have 2 keys for reverse zone and 2 keys for the domain. Now Ihave deleted 1 key of a kind so is this will work or i need to do with my registar too?
I’ve tried to remove these extra keys but on WIndows DNS Server it is not possible to have less than 3 keys - 2 keys are active and one is standby. I already wrote to my registrar to change DS keys on .com zone for my domain and will check again tomorrow to see what will happen.
OK, but now i recieve another error: NS problem: SERVFAIL looking up TXT for _acme-challenge.gammaconsult.com - the domain’s nameservers may be malfunctioning
I’m totally confused what is going on now because this client automatically creates DNS TXT records?!
Shure, I need to have own DNS server for other reasons, I’ll wait DNSSEC to be fixed until tomorrow and will write if this not work. Thank you very much for your help!
@JuergenAuer Hello, thank you very much for pointing me in a right direction to resolve my issue with cert renewal. After I have reduced DNSKEYS keys to 2 through our registar i’m able to generate new certs! Thanks again!