Error: Let's Encrypt validation status 400

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: allmusicdatabase.com

I ran this command: Trying to add Let's Encrypt certificate

It produced this output: Error: Let's Encrypt validation status 400

My web server is (include version): Apache/2.4.57 ; Nginx/1.25.4

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): myvesta

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I've added various other domains to this same system and all the Let's Encrypt certificates went through without problems. This domain was initially successful over a week ago but I've since reinstalled everything and lost the original certificates. I've waited until new certicates should be available again. I can ping the IP address from the command line, it also appears to give correct results from various DNS checking services including leafdns.com.

You have some serious DNS and DNSSEC issues.

See allmusicdatabase.com | DNSViz

The online tool Let's Debug yields these results https://letsdebug.net/allmusicdatabase.com/1815582

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for allmusicdatabase.com/A.
DNS response for allmusicdatabase.com had fatal DNSSEC issues: validation failure <allmusicdatabase.com. A IN>: No DNSKEY record from 200.69.21.58 for key allmusicdatabase.com. while building chain of trust. Additionally, Cloudflare's 1.1.1.1 resolver reported: no SEP matching the DS found for allmusicdatabase.com.

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for allmusicdatabase.com/AAAA.
DNS response for allmusicdatabase.com had fatal DNSSEC issues: validation failure <allmusicdatabase.com. AAAA IN>: No DNSKEY record from 200.69.21.58 for key allmusicdatabase.com. while building chain of trust. Additionally, Cloudflare's 1.1.1.1 resolver reported: no SEP matching the DS found for allmusicdatabase.com.

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for allmusicdatabase.com/AAAA.
DNS response for allmusicdatabase.com had fatal DNSSEC issues: validation failure <allmusicdatabase.com. AAAA IN>: No DNSKEY record from 200.69.21.58 for key allmusicdatabase.com. while building chain of trust. Additionally, Cloudflare's 1.1.1.1 resolver reported: no SEP matching the DS found for allmusicdatabase.com.

NoRecords
FATAL
No valid A or AAAA records could be ultimately resolved for allmusicdatabase.com. This means that Let's Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.
No A or AAAA records found.

The online tool https://unboundtest.com/ does not find a DNS A Record nor an AAAA Record.
https://unboundtest.com/m/A/allmusicdatabase.com/ZCSZAQNL

Query results for A allmusicdatabase.com

Response:
;; opcode: QUERY, status: SERVFAIL, id: 23667
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512
; EDE: 9 (DNSKEY Missing): (validation failure <allmusicdatabase.com. A IN>: No DNSKEY record from 200.69.21.58 for key allmusicdatabase.com. while building chain of trust)

;; QUESTION SECTION:
;allmusicdatabase.com.	IN	 A

----- Unbound logs -----
Feb 25 22:52:52 unbound1.19[945154:0] debug: creating udp6 socket ::1 1053
Feb 25 22:52:52 unbound1.19[945154:0] debug: creating tcp6 socket ::1 1053
Feb 25 22:52:52 unbound1.19[945154:0] debug: creating udp4 socket 127.0.0.1 1053
Feb 25 22:52:52 unbound1.19[945154:0] debug: creating tcp4 socket 127.0.0.1 1053
Feb 25 22:52:52 unbound1.19[945154:0] debug: chdir to .
Feb 25 22:52:52 unbound1.19[945154:0] debug: switching log to stderr

https://unboundtest.com/m/AAAA/allmusicdatabase.com/K3WK4G7T

Query results for AAAA allmusicdatabase.com

Response:
;; opcode: QUERY, status: SERVFAIL, id: 20523
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512
; EDE: 9 (DNSKEY Missing): (validation failure <allmusicdatabase.com. AAAA IN>: No DNSKEY record from 200.69.21.58 for key allmusicdatabase.com. while building chain of trust)

;; QUESTION SECTION:
;allmusicdatabase.com.	IN	 AAAA

----- Unbound logs -----
Feb 25 22:56:13 unbound1.19[945156:0] debug: creating udp6 socket ::1 1053
Feb 25 22:56:13 unbound1.19[945156:0] debug: creating tcp6 socket ::1 1053
Feb 25 22:56:13 unbound1.19[945156:0] debug: creating udp4 socket 127.0.0.1 1053
Feb 25 22:56:13 unbound1.19[945156:0] debug: creating tcp4 socket 127.0.0.1 1053

image1128×750 20.8 KB

Also see

• https://www.hardenize.com/report/allmusicdatabase.com/1708903386#domain_dns_zone
• https://www.hardenize.com/report/allmusicdatabase.com/1708903386#domain_dnssec

This sounds like a question for the myvesta community.

Thanks very much Bruce, the extra links you suggested led me to realising the domain registrar uses unconventional syntax for setting up DNS records. I've adjusted these and all seems to work finally.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.