Error: Let's Encrypt validation status 400

g0r60n · August 6, 2019, 3:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
vaynahi.com

I ran this command:
Via Vestacp clicked on ssl support and Letsencrypt

It produced this output:
Error: Let’s Encrypt validation status 400

My web server is (include version):
nginx + apache

The operating system my web server runs on is (include version):
Debian 8

My hosting provider, if applicable, is:
Virtual Server

I canhttps://community.letsencrypt.org/search login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - VESTACP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
No

JuergenAuer · August 6, 2019, 3:47pm

Hi @g0r60n

there are some checks of your domain. There you see the problem - https://check-your-website.server-daten.de/?q=vaynahi.com

com

There is a DS Record in the parent zone that says: "You use DNSSEC".

But your zone doesn't have the correct DNSKEY. So your DNSSEC is broken.

That blocks Letsencrypt to find a correct - signed - IP address.

Looks like you have changed your DNS provider. Your old supported DNSSEC, your new not.

Add DNSSEC to your domain or your DNS provider should start an action to remove the DS in the parent zone.

g0r60n · August 14, 2019, 7:02am

I have “DNSSEC” disabled in the domain, now everything has started to work again, thank you

JuergenAuer · August 14, 2019, 7:39am

If your DNS provider has a menu to disable DNSSEC, then you should be able to re-enable DNSSEC now.

It wasn't a global DNSSEC problem. Only an inconsistence between the DS in the parent zone and the missing DNSKEY in your local zone.

DNSSEC is an amazing feature. So if your DNS provider supports that -> use it.

Re-enabling DNSSEC -> the local DNSKEY should be created. Then recheck your domain.

system · September 13, 2019, 7:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.