I just transferred my domain (breshears.us) to no-ip and have issues getting certificate issued.
If I use one of no-ip's default hostnames (such as breshears.ddns.me) I have no issues getting a certificate issued. However, I do have an issue when trying to get a certificate from my own domain.
If you try to visit 'breshears.us' it works, but it gives you a certificate error.
What am I doing wrong? The "A Record" appears to be fine. Is there another way to pass the challenge?
ACTUAL ERROR ---------------------
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for breshears.us
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. breshears.us (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for breshears.us - the domain's nameservers may be malfunctioning
The following errors were reported by the server:
Detail: DNS problem: SERVFAIL looking up A for breshears.us - the
domain's nameservers may be malfunctioning
Done. Press any key...
I have searched the internet for people who have had similar problems as I am now having, and I have seen several issues where DNSSEC was the problem. But I could not follow the solutions to resolve this.
Does this have anything to do with me transferring my domain from Namecheap to no-ip?
The transfer could be the reason of this DNSSEC error though. It could very well be that your previous DNS service provider has left the DS record in the .us zone and didn't delete it when your domain was transfered. As your new DNS provider doesn't have the DNSKEY record corresponding to this DS record in your domains zone, DNSSEC is broken.
At the moment your current DNS provider is the one capable of removing the DS record from the .us zone.
They informed me that they do not support DNSSEC at all. He also said the issue could be because my domain is still propagating due to the transfer, so that could be causing the issue.
But he wasn't sure, so he's making a support ticket for someone else to look into. (I did ask them to disable DNSSEC, but because they don't support it, he was unsure, hence, why he made another ticket.)
Meaningless ramble from someone who clearly doesn't know anything about DNSSEC.
The entire contents of the zone are always transferred.
The new registrar can remove any/all records that you can't remove yourself.
As they don't even support DNSSEC, there is no way for you to address those records through their panel. Waiting for some miracle to fix this is just a waste of time.
Call back and speak to someone with a clue or a title high enough to find someone with a clue.
Sorry I may have spoke to soon (no sense in erasing what has already been said - LOL).
You will be properly helped soon.
Okay, so I am getting closer to getting this issue solved. -- I received word back from the new registrar, and they confirmed that the issue is being caused by DNSSEC, and they said that they did remove the DS record. (Removed about 45 minutes ago) However, I'm still getting the same error when attempting to generate a certificate.
Do I just need to hang tight and let it work through the system, or are their efforts not getting rid of DNSSEC?
Just an update for you, I have confirmed with the devs here that it is the DNSSEC record that's causing issues for your domain. I put in a request to have them remove it from your zone. I will update you once they've processed the request. Thank you for you patience!
I'm glad to report that the DS record has been removed from your zone on your domain. Let me know if you run into any other issues.
Thank ya'll again. Very grateful for your insight.