{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/638023256/643517064416/t8fYYw", "status": "invalid",
"validated": "2026-01-15T14:47:07Z",
"error": { "type": "urn:ietf:params:acme:error:dns", "detail": "no valid A records found for mta-sts.dm.cz; no valid AAAA records found for mta-sts.dm.cz", "status": 400 }
}
The domain does indeed have no A or AAAA record, but a CNAME record which points to an A record. We can resolve both CNAME and A entries via various DNS servers including Googles and Cloudflares. Let's Encrypt supports CNAMES in general, so we are unsure what issue Let's Encrypt is having. Can anyone shed some light into this?
I can confirm via Google Dig that there is an A record and no AAAA record.
id 17701
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
mta-sts.dm.cz. IN A
;ANSWER
mta-sts.dm.cz. 21574 IN CNAME mtasts-enforce.mailsecurity.dm.de.
mtasts-enforce.mailsecurity.dm.de. 21574 IN A 194.127.216.30
;AUTHORITY
;ADDITIONAL
id 3180
opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
mta-sts.dm.cz. IN AAAA
;ANSWER
mta-sts.dm.cz. 21600 IN CNAME mtasts-enforce.mailsecurity.dm.de.
;AUTHORITY
mailsecurity.dm.de. 1800 IN SOA auth1.dm-drogeriemarkt.de. hostmaster.dm-drogeriemarkt.de. 2026010900 14400 960 1209600 3600
;ADDITIONAL
The CNAME from mta-sts.dm.cz to mtasts-enforce.mailsecurity.dm.de is fine. But mtasts-enforce.mailsecurity.dm.de is pretty broken.
It lists 4 DNS servers, but only one of them returns an A record. The ns14.net nameservers all don't think that they're authoritative for that name, and don't return a record.