Problems to get SSL

Hi, I m going mad. When I try to get my SSL certificate I get:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/11086819742. Details: Type: urn:ietf:params:acme:error:dns Status: 400 Detail: DNS problem: SERVFAIL looking up A for - the domain's nameservers may be malfunctioning

I give you this info in case it could help

https://dnsviz.net/d/www.excursionesdesiertomarrakech.com/dnssec/
https://check-your-website.server-daten.de/?q=excursionesdesiertomarrakech.com

Yesterday I tried to set up this DNSKEY but apparently I did something wrong so I deleted all I had done. Is maybe this Key the reason? Thank you so much

||Hôte|TTL|Type d'enregistrement|Valeur|

||www.excursionesdesiertomarrakech.com.||CNAME|excursionesdesiertomarrakech.com.|
||webmail.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||148.251.52.190 / 24||PTR|excursionesdesiertomarrakech.com.|
||excursionesdesiertomarrakech.com.||NS|ns1.hepicloud.fr.|
||imap.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||smtp.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||excursionesdesiertomarrakech.com.||MX (10)|mail.excursionesdesiertomarrakech.com.|
||_domainconnect.excursionesdesiertomarrakech.com.||TXT|domainconnect.plesk.com/host/hepicloud.fr/port/8443|
||excursionesdesiertomarrakech.com.||TXT|v=spf1 +a +mx -all|
||excursionesdesiertomarrakech.com.||A|148.251.52.190|
||ftp.excursionesdesiertomarrakech.com.||CNAME|excursionesdesiertomarrakech.com.|
||pop3.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||excursionesdesiertomarrakech.com.||NS|ns2.hepicloud.fr.|
||pop.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||mail.excursionesdesiertomarrakech.com.||A|148.251.52.190|

1 Like

You'll also need to login to your domain registrar (Enom?) and disable DNSSEC there as well.

1 Like

Thanks _az I think it is plesk. Disable DNSSEC? I deleted the DS I created related to this DNSKEY. Actually I migrated my domain and from there I have this problem. Even before I tried to create the DNSKEY I had this and there are no DS on my DNSSEC

Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 2286, DigestType 2, Digest xNsU2ILKpwie6vliJVbMWWJwMr57wLMSMLNN+XzEqvU=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

1 Like

According to the domain registry, your domain still has DS records published.

$ dig +noall +answer @e.gtld-servers.net excursionesdesiertomarrakech.com ds
excursionesdesiertomarrakech.com. 86400 IN DS   2286 13 2 C4DB14D882CAA7089EEAF9622556CC59627032BE7BC0B31230B34DF9 7CC4AAF5

Getting rid of these needs to be done via your domain registrar.

If you have already disabled DNSSEC at your domain registrar, then you may need to wait a bit, or contact your domain registrar.

3 Likes

Oh great thanks! Yes actually it is not and it has never been on my DNSSEC I think old stuff I m gonna contact

1 Like

Hi @agrodi

DNSSEC has two fundamental parts: A DS RR in the parent zone and a matching DNSKEY in the signed zone.

So if you migrate your domain and if you create a new DNSKEY, you (or your registrar) must update the DS RR in the parent zone. Or must remove the DS RR -> zone is not longer signed.

Normally:

  • Disable DNSSEC on your old DNS provider, check, if the missing DS is propagated
  • Change your DNS provider
  • Create a new DNSKEY + a new DS
4 Likes

Thank you. On my old registrar they told me that the domain is already transferred and today my subscription expires. I ve found that this signature exipires the 1st of march. Are these signatures autorenew? Or normally even if I cant find this DS RR (that is not displaying on my DNSSEC) it will disapear on this date?

1 Like

You must do that before transferring a domain. Now it's too late.

Normally yes, nobody wants to update these RR manual.

The DS is in the parent zone, not in your zone.

Check, if you can enable and disable DNSSEC. Enabling should update the DS, disabling should remove the DS.

2 Likes

Wait, registrars continue publishing DNS RRs for domains that are no longer registered through them? That doesn't seem like something registries (or customers) would like very much...

2 Likes

They may not continue, but samples in this forum:

Looks like some registrars don't remove existing DS RR after a domain is transferred.

Old provider with DNSSEC -> Domain transferred to a new provider without DNSSEC -> DS exists some days with old values -> fatal.

4 Likes

ohh thanks, if you can enable and disable DNSSEC. Enabling should update the DS, disabling should remove the DS.

1 Like

Thanks I ve asked on my hosting to disable this DNSSEC. I dont know for what "enabling" first? Disabling should be enough, isnt it?