Error issuing certificate when domain and hosting for this domain are from different companies

Hello, I've bought a domain
yourhappiness.in.ua
from company redo.ua,
and changed IP address there (in DNS settings of domain)
to redirect to my hosting (other company - ukrline).

Then i went to my hosting panel (Plesk) in UkrLine hosting,
added there a domain "yourhappiness.in.ua", ok,
and wanted to add free certificate from letsencrypt
(I turned on an option "wildcards"for domain like *.yourhappiness.in.ua.
Then I was asked to add TXT record in DNS settings for domain.
I went in Peask to DNS settings of yourhappiness.in.ua,
Enabled there management of those all records etc,
and clicked to Add record.
There I chose "TXT"record,
added a subdomain
_acme-challenge.yourhappiness.in.ua
Record type: TXT
Domain name: _acme-challenge .yourhappiness.in.ua
Record: sE7-zAjS34qw_zyoVTyvLX7p6fQnpmZqtwnV2OYvxi0
or like this (it changes everytime I try).
So, then when I click "reload" after adding the TXT-record for _acme-challenge

  • I have the same error each time I try:
    =======
    Could not issue an SSL/TLS certificate for yourhappiness.in.ua
    Details
    Could not issue a Let's Encrypt SSL/TLS certificate for yourhappiness.in.ua. Authorization for the domain failed.
    Details
    Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/156004548057.
    Details:
    Type: urn:ietf:params:acme:error:dns
    Status: 400
    Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.yourhappiness.in.ua - check that a DNS record exists for this domain
    =====

my suspicion is that it happens so, because I have domain bought from other company,
while hosting is different. So these two companies maybe contradict,
and so maybe I need some extra settings, but I don't know which.
Even my support in hosting said that they don't know how to solve certificate problem
(I tried it for few other domains similarly - they can't help).

If I add certificate for my other main domain in hosting company - it works,
and also for subdomains - I do same way as I described above,
but it dont work for some external domain (other than hosting).
So if domain and hosting for this domain are from different companies,
can I install your free certificate? If yes, what should I do?

Below is some extra info in form:

My domain is:
yourhappiness.in.ua

I ran this command:
"Reload" after adding TXT record for free letsencrypt-certificate

It produced this output:
Could not issue an SSL/TLS certificate for yourhappiness.in.ua
Details
Could not issue a Let's Encrypt SSL/TLS certificate for yourhappiness.in.ua. Authorization for the domain failed.
Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/156004548057.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.yourhappiness.in.ua - check that a DNS record exists for this domain

My web server is (include version):
asp.net, hosting company is ukrline.com.ua

The operating system my web server runs on is (include version):
I don't know

My hosting provider, if applicable, is:
ukrline.com.ua

I can login to a root shell on my machine (yes or no, or I don't know):
I think no, plesk seems to have no cmd line

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk, i don't know the version and where to see it

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I don't know to check it and run this command, it is probably disabled for me by my hosting company Ukrline

Do you require a wildcard certificate? If not, please try again but without turning on the wildcard option. Changes are, your hosting environment can get a certificate using the http-01 challenge automatically, but this would not be possible for getting a wildcard certificate.

3 Likes
nslookup -q=txt _acme-challenge.yourhappiness.in.ua
*** dns.google can't find _acme-challenge.yourhappiness.in.ua: Non-existent domain

nslookup -q=txt _acme-challenge.yourhappiness.in.ua.yourhappiness.in.ua
_acme-challenge.yourhappiness.in.ua.yourhappiness.in.ua text =
        "o8gyM-TbUzg8jNsYMkIc7WqhGmDvoBDz7_25yuSEVvs"

When you create the TXT record entry, use "_acme-challenge" not with the domain added.

3 Likes

i think I don't really require wildcards (*), so yes, I unchecked it, and now it works, thank you.

as for not adding after "_acme-challenge" a domain name - it is automatically added, i cannot change it. it is not editable in plesk. but anyway, Osiris already helped and now it all seems to work. thank you for free certificates! and may God bless you all with everything

2 Likes

You might want to consider configuring a HTTP to HTTPS redirect. That said, I'm not familiar with Plesk, so no idea how one would do that using Plesk :roll_eyes:

4 Likes

If you control your domain name, you can change it / delete it.
And that entry should be deleted - it serves no purpose.

3 Likes

To understand why this makes a difference here, you can also see the documentation at

(explaining the different kinds of things that need to be done, under Let's Encrypt policy, to prove ownership of a domain name for wildcard vs. non-wildcard certificates)

2 Likes

The baseline requirements also require a DNS challenge for wildcard certs nowadays, so it's not just LE policy :wink:

4 Likes

Oh, I didn't realize that!

3 Likes

In effect since December 2021:

2021‐12‐01
3.2.2.4
CAs MUST NOT use methods 3.2.2.4.6, 3.2.2.4.18, or 3.2.2.4.19 to issue wildcard certificates or with Authorization Domain Names other than the FQDN.

3.2.2.4.6 = "Agreed‑Upon Change to Website" (not ACME)
3.2.2.4.18 = "Agreed‑Upon Change to Website v2" (also not ACME)
3.2.2.4.19 = "Agreed‑Upon Change to Website ‑ ACME" (well, ACME obviously :stuck_out_tongue:)

That said, the BR offer enough other challenges that allow wildcard certs, but ACME doesn't implement them. So with ACME, only the dns-01 challenge is usable for wildcard certs, enforced by the BR. :slight_smile: All CAs that voted, voted in favor of this change (n=22) as wel as all browsers/client vendors that voted (n=5).

5 Likes