Error trying to install lets encrypt on Plesk

khumoub · November 20, 2019, 9:16am

My domain is:btcl.co.bw

I tried to install lets Encrypt on PLesk but am getting errors

It produced this output: Error: Could not issue a Let’s Encrypt SSL/TLS certificate for btcl.co.bw . Authorization for the domain failed.
Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1321947430.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: No valid IP addresses found for btcl.co.bw

My web server is (include version):Apache

The operating system my web server runs on is (include version): Linux

JuergenAuer · November 20, 2019, 9:25am

Hi @khumoub

checking your domain that's exact the problem - https://check-your-website.server-daten.de/?q=btcl.co.bw

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
btcl.co.bw	A		yes	1	0
	AAAA		yes
www.btcl.co.bw	A	168.167.71.11 Gaborone/Botswana (BW) - Botswana Telecommunications Corporation No Hostname found	yes	1	0
	AAAA		yes

Your non-www doesn't have an A- or AAAA-record (ipv4 or ipv6). Your www has one.

Create the same record with the non-www version, then recheck your domain to see, if the A-record is visible.

khumoub · December 11, 2019, 12:30pm

Hi Juergen
I did what you suggested and got error below
Error: Could not issue a Let’s Encrypt SSL/TLS certificate for btcl.co.bw . Authorization for the domain failed.
Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/1670494601.
Details:
Type: urn:ietf:params:acme:error:dns
Status: 400
Detail: DNS problem: SERVFAIL looking up CAA for co.bw

JuergenAuer · December 11, 2019, 2:28pm

That's

a curious error. Checking your domain my tool doesn't see a CAA or name server error - https://check-your-website.server-daten.de/?q=btcl.co.bw

Same using Unboundtest: https://unboundtest.com/m/CAA/co.bw/IBTJHII2

Query results for CAA co.bw

Response:
;; opcode: QUERY, status: NOERROR, id: 8760
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;co.bw. IN CAA

;; AUTHORITY SECTION:
co.bw. 0 IN SOA dns1.nic.net.bw. registry.nic.net.bw. 2019121115 21600 3600 604800 3600

Letsencrypt uses an Unbound instance with the same configuration.

So two options:

It's a temporary problem, try it one time again
It's a problem. So create a CAA entry with btcl.co.bw, then co.bw isn't checked.

PS: It's not a Plesk problem.

PS: Oh, what's that? Checking https://unboundtest.com/m/CAA/btcl.co.bw/X4GM2UY3 there is an error:

Query results for CAA btcl.co.bw

Response:
;; opcode: QUERY, status: SERVFAIL, id: 27442
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;btcl.co.bw. IN CAA

----- Unbound logs -----
Dec 11 14:23:23 unbound[7250:0] notice: init module 0: validator
Dec 11 14:23:23 unbound[7250:0] notice: init module 1: iterator
Dec 11 14:23:23 unbound[7250:0] info: start of service (unbound 1.9.3).
Dec 11 14:23:24 unbound[7250:0] info: 127.0.0.1 btcl.co.bw. CAA IN
Dec 11 14:23:24 unbound[7250:0] info: resolving btcl.co.bw. CAA IN
Dec 11 14:23:24 unbound[7250:0] info: priming . IN NS
Dec 11 14:23:24 unbound[7250:0] info: response for . NS IN
Dec 11 14:23:24 unbound[7250:0] info: reply from <.> 2001:7fe::53#53
Dec 11 14:23:24 unbound[7250:0] info: query response was ANSWER
Dec 11 14:23:24 unbound[7250:0] info: priming successful for . NS IN
Dec 11 14:23:25 unbound[7250:0] info: response for btcl.co.bw. CAA IN
Dec 11 14:23:25 unbound[7250:0] info: reply from <.> 2001:7fd::1#53
Dec 11 14:23:25 unbound[7250:0] info: query response was REFERRAL
Dec 11 14:23:26 unbound[7250:0] info: response for btcl.co.bw. CAA IN
Dec 11 14:23:26 unbound[7250:0] info: reply from <bw.> 168.167.98.226#53
Dec 11 14:23:26 unbound[7250:0] info: query response was DNSSEC LAME
Dec 11 14:23:27 unbound[7250:0] info: Capsforid: timeouts, starting fallback
Dec 11 14:23:27 unbound[7250:0] info: response for btcl.co.bw. CAA IN
Dec 11 14:23:27 unbound[7250:0] info: reply from <bw.> 2c0f:ff00:1:3::226#53
Dec 11 14:23:27 unbound[7250:0] info: Capsforid: reply is equal. go to next fallback
Dec 11 14:23:27 unbound[7250:0] info: response for btcl.co.bw. CAA IN
Dec 11 14:23:27 unbound[7250:0] info: reply from <bw.> 168.167.168.37#53
Dec 11 14:23:27 unbound[7250:0] info: Capsforid fallback: getting different replies, failed

The dns2.nic.net.bw, one of the name servers of the bw zone, is terrible.

X	Fatal error: Nameserver doesn't support TCP connection: dns2.nic.net.bw: Timeout
X	Nameserver Timeout checking Echo Capitalization: dns2.nic.net.bw
X	Nameserver Timeout checking EDNS512: dns2.nic.net.bw

The bw zone is signed, so DNSSEC crashes if that name server is used (TCP is required).

Looks like the name servers are too buggy. But that's not something you can fix.

system · January 10, 2020, 2:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.