My ISP doesn't offer IPv6, so there is no AAAA record. Can I use Let's Encrypt certificates?

As subject; My ISP doesn't offer IPv6, so there is no AAAA record. Can I use Let's Encrypt certificates?

My domain is: keeskoenen.com

I ran this command: certbot

It produced this output:

DNS problem: SERVFAIL looking up A for www.keeskoenen.com
   - the domain's nameservers may be malfunctioning; DNS problem:
   SERVFAIL looking up AAAA for www.keeskoenen.com - the domain's
   nameservers may be malfunctioning

My web server is (include version): Nginx (nginx/1.18.0)

The operating system my web server runs on is (include version): Debian 5.10.149-2 (2022-10-21)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Yes, but your authoritative DNS server needs to resolve the A and AAAA requests correctly (even if AAAA returns no records).

It looks like you might have a DNSSEC issue with your domain setup: www.keeskoenen.com | DNSViz

keeskoenen.com/DS (alg 13, id 56176): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).

6 Likes

Hmmm.. I thought I saw that my plesk admin interface demanded a (correct) IPv6 address when adding an AAAA record. Maybe I can do something like ::.

I'll try. Thanks.

1 Like

But why would you need to add an IPv6 record in the first place?

4 Likes

If you don't have any IPv6 addresses, the general idea in DNS is that you don't add any IPv6 (AAAA) records.

According to @petercooperjr, the problem currently is not related to IPv6, but with DNSSEC being defective.

4 Likes

To run certbot.

Certbot doesn't require an IPv6 address.
You are trying to solve the problem the wrong way.

5 Likes

Certbot reports an error (see OP).

The error is DNS related.
Which is DNSSEC related.
Did you read the posts?
Do you understand what you read?

4 Likes

LOL. Boy, you must be fun at parties.

Anyway, it's fixed now.. I don't know what exactly fixed it. Fiddled around with settings, maybe dns propagation, dunno. DNSViz still shows the warnings (warnings, not errors), I'll look into that next.

Thanks anyway.

1 Like

You'd be surprised - LOL

Glad all is well now :wink:
Cheers from Miami :beers:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.