My ISP doesn't offer IPv6, so there is no AAAA record. Can I use Let's Encrypt certificates?

As subject; My ISP doesn't offer IPv6, so there is no AAAA record. Can I use Let's Encrypt certificates?

My domain is:

I ran this command: certbot

It produced this output:

DNS problem: SERVFAIL looking up A for
   - the domain's nameservers may be malfunctioning; DNS problem:
   SERVFAIL looking up AAAA for - the domain's
   nameservers may be malfunctioning

My web server is (include version): Nginx (nginx/1.18.0)

The operating system my web server runs on is (include version): Debian 5.10.149-2 (2022-10-21)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Yes, but your authoritative DNS server needs to resolve the A and AAAA requests correctly (even if AAAA returns no records).

It looks like you might have a DNSSEC issue with your domain setup: | DNSViz (alg 13, id 56176): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).


Hmmm.. I thought I saw that my plesk admin interface demanded a (correct) IPv6 address when adding an AAAA record. Maybe I can do something like ::.

I'll try. Thanks.

1 Like

But why would you need to add an IPv6 record in the first place?


If you don't have any IPv6 addresses, the general idea in DNS is that you don't add any IPv6 (AAAA) records.

According to @petercooperjr, the problem currently is not related to IPv6, but with DNSSEC being defective.


To run certbot.

Certbot doesn't require an IPv6 address.
You are trying to solve the problem the wrong way.


Certbot reports an error (see OP).

The error is DNS related.
Which is DNSSEC related.
Did you read the posts?
Do you understand what you read?


LOL. Boy, you must be fun at parties.

Anyway, it's fixed now.. I don't know what exactly fixed it. Fiddled around with settings, maybe dns propagation, dunno. DNSViz still shows the warnings (warnings, not errors), I'll look into that next.

Thanks anyway.

1 Like

You'd be surprised - LOL

Glad all is well now :wink:
Cheers from Miami :beers:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.