No DNSKEY record from issue

My DNS provider said "Unfortunately, our NS servers do not support DNSSEC (DNSKEY)." I'm trying to get Letsencrypt ssl certificate with cerbot command with only txt record check and without DNSSEC (DNSKEY) check:

certbot -d oilbliss.ru --manual --preferred-challenges dns certonly
or
docker run -it --rm --dns=77.88.8.8 certbot/certbot certonly --manual --preferred-challenges dns -d oilbliss.ru

but I gоt an error:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: oilbliss.ru
Type: dns
Detail: DNS problem: looking up TXT for _acme-challenge.oilbliss.ru: DNSSEC: DNSKEY Missing: validation failure <_acme-challenge.oilbliss.ru. TXT IN>: No DNSKEY record from 185.50.27.12 for key oilbliss.ru. while building chain of trust

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

What should I do?

Your DNS is currently fairly broken:

I'm guessing (?) you moved from a DNS provider that that did have DNSSEC enabled without first removing DNSSEC. To remove DNSSEC you have to request it from your registrar, not the DNS provider.

I used Cloudflare as a DNS provider. I returned to beget.ru, which is currently the registrar of my domain name oilbliss.ru and DNS provider, where I registered A record for the domain oilbliss.ru. Beget.ru technical support says that "Unfortunately, our NS servers do not support DNSSEC (DNSKEY)." Txt record with _acme-challenge for the domain I added on Beget.ru and it is accessible from the Internet. How can I get a Letsecrypt certificate without DNSSEC (DNSKEY) verification?

You don't need DNSSEC to get a cert. Try searching "removing dnssec"

Your domain currently publishes a DS record, which is also part of the DNSSEC configuration:

dig oilbliss.ru -t DS

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> oilbliss.ru -t DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55507
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;oilbliss.ru.                   IN      DS

;; ANSWER SECTION:
oilbliss.ru.            21600   IN      DS      2371 13 2 E2406D57951BF391F5335306AFC188821532B38C4954F42A64747D87 ABA68614

What should I do or to whom I should apply for "removing dnssec"? Any practical advice? I moved from Cloudflare less than 24 hours ago.

When you speak with beget to correct this you could refer them to this test page

Review the errors reported at the DNSViz and Verisign sites noted in the error detail.

Once they remove the broken DNSSEC you should be able to get a Let's Encrypt cert.

Beget finally after 24 hours reported that they deleted the DS record for the domain. Still I receive the error while requesting the sertificate.

[root@russianpaintings ~]# certbot certonly --standalone -d oilbliss.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for oilbliss.ru
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Have they ruined the DNS for my site and there is no redirect for the domain?

As far as I can see the DS record (set by your registrar) still exists Query: oilbliss.ru - Google Public DNS

So DNS is still trying to validate your DNS according to DNSSEC.

Yes, the DS record is still there, but they deleted it ony 1 hour ago. Also they ruined DNS for the domain - there is no http redirect after they made changes to DNS / DS.

DNS_PROBE_FINISHED_NXDOMAIN

OMG

The site can be opened via http://oilbliss.ru. But Cerbot is having issue with connection to port 80:

[root@russianpaintings ~]# certbot certonly --standalone -d oilbliss.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for oilbliss.ru
Performing the following challenges:
http-01 challenge for oilbliss.ru
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

What is the cause?

Finally I got certificate via TXT-record confirmation:
certbot -d oilbliss.ru --manual --preferred-challenges dns certonly

What do you think DNS has to do with the HTTP -> HTTPS redirect?

...which again has nothing at all to do with DNS. Certbot can't bind to port 80, presumably, because something else (like your web server) is listening there. Why are you running certbot in standalone mode?

...which you won't be able to renew automatically.

Finally Beget removed DS record and I was able to get Letsencrypt sert. for 3 months in the admin panel of my server which will be renewed automatically. Also I was able to get the cert. with cerbot using txt-record confirmation.

I am new to this subject matter. Later on I will try to use:

certbot certonly --webroot -w /path/to/your/webroot -d example.com

At precent my server control panel will receive cert. for me automatically.

If you have a control panel to use and install certificates automatically, why are you using certbot at all?

The use of cerbot is due to the fact that the panel could not automatically obtain a certificate. I had to configure cerbot to see the cause of the error: the Beget company's dns server registered a DS record, but did not return a DNSKEY. In addition, I began to study cerbot when I used DNS in CloudFlare for this domain. After I switched off the CloudFlare for this domain due to problems with CloudFlare in Russia: it is being blocked for mobile devices. So, this is the complicated story.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.