Error while adding ssl to site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: athensplasticsurgerycenter.com

I ran this command: i tried to install lets encrypt from plesk panel

It produced this output: Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: DNS problem: SERVFAIL looking up A for athensplasticsurgerycenter.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for athensplasticsurgerycenter.com - the domain's nameservers may be malfunctioning

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: top.host

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This is quite unusual.

$ dig ns athensplasticsurgerycenter.com

; <<>> DiG 9.16.11 <<>> ns athensplasticsurgerycenter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53981
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;athensplasticsurgerycenter.com.        IN      NS

;; Query time: 143 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 25 09:00:53 CET 2022
;; MSG SIZE  rcvd: 59

(The domain is registered and there are two nameservers in the whois database)

@gkousk does your website actually work? (without https)

2 Likes

DNSViz doesn't show much, only 2 (I think non-fatal) warnings: athensplasticsurgerycenter.com | DNSViz

Unboundtest also doesn't sho an error:

https://unboundtest.com/m/A/athensplasticsurgerycenter.com/TU3TS2R4

Maybe it was just a temporary hickup?

4 Likes

Now we have changed the nameservers back to the old ones on another host. But the http worked fine

I can see the nameservers now. You have a 4 hour (14400 seconds) TTL on those records in your zone, which is fine.

dig ns athensplasticsurgerycenter.com                  
; <<>> DiG 9.16.11 <<>> ns athensplasticsurgerycenter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61925
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;athensplasticsurgerycenter.com.        IN      NS

;; ANSWER SECTION:
athensplasticsurgerycenter.com. 14400 IN NS     ns02.one.com.
athensplasticsurgerycenter.com. 14400 IN NS     ns01.one.com.

;; Query time: 103 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 25 10:31:39 CET 2022
;; MSG SIZE  rcvd: 101

But the parent zone has a 48 hours (172800 seconds) TTL. This probably depends on your DNS provider or tld.

~$ dig @$(dig ns com. +short | head -n 1) athensplasticsurgerycenter.com ns

; <<>> DiG 9.18.0-2ubuntu2-Ubuntu <<>> @a.gtld-servers.net. athensplasticsurgerycenter.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38013
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;athensplasticsurgerycenter.com.        IN      NS

;; AUTHORITY SECTION:
athensplasticsurgerycenter.com. 172800 IN NS    ns01.one.com.
athensplasticsurgerycenter.com. 172800 IN NS    ns02.one.com.

;; ADDITIONAL SECTION:
ns01.one.com.           172800  IN      A       195.206.121.10
ns02.one.com.           172800  IN      A       195.206.121.138

;; Query time: 50 msec
;; SERVER: 192.5.6.30#53(a.gtld-servers.net.) (UDP)
;; WHEN: Fri Feb 25 10:36:24 CET 2022
;; MSG SIZE  rcvd: 133

If you want to modify your nameservers you have to modify them in both zones. And the parent one can be slow to update (for your clients, not for Let's Encrypt which always goes to the source)


Funnily enough, my dns provider (gandi livedns, a good service, but you can only have it if you buy your domain from them) goes the other way. If I ask the tld dns, my NS TTL is one hour, if I ask my authoritative nameservers, it's 4 hours.

2 Likes

Ok, if http works fine you can most probably get a certificate.

What would you like to do?

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.