Problems to get SSL

agrodi · February 23, 2021, 9:39am

Hi, I m going mad. When I try to get my SSL certificate I get:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/11086819742. Details: Type: urn:ietf:params:acme:error:dns Status: 400 Detail: DNS problem: SERVFAIL looking up A for - the domain's nameservers may be malfunctioning

I give you this info in case it could help

https://dnsviz.net/d/www.excursionesdesiertomarrakech.com/dnssec/
https://check-your-website.server-daten.de/?q=excursionesdesiertomarrakech.com

Yesterday I tried to set up this DNSKEY but apparently I did something wrong so I deleted all I had done. Is maybe this Key the reason? Thank you so much

||Hôte|TTL|Type d'enregistrement|Valeur|

||www.excursionesdesiertomarrakech.com.||CNAME|excursionesdesiertomarrakech.com.|
||webmail.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||148.251.52.190 / 24||PTR|excursionesdesiertomarrakech.com.|
||excursionesdesiertomarrakech.com.||NS|ns1.hepicloud.fr.|
||imap.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||smtp.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||excursionesdesiertomarrakech.com.||MX (10)|mail.excursionesdesiertomarrakech.com.|
||_domainconnect.excursionesdesiertomarrakech.com.||TXT|domainconnect.plesk.com/host/hepicloud.fr/port/8443|
||excursionesdesiertomarrakech.com.||TXT|v=spf1 +a +mx -all|
||excursionesdesiertomarrakech.com.||A|148.251.52.190|
||ftp.excursionesdesiertomarrakech.com.||CNAME|excursionesdesiertomarrakech.com.|
||pop3.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||excursionesdesiertomarrakech.com.||NS|ns2.hepicloud.fr.|
||pop.excursionesdesiertomarrakech.com.||A|148.251.52.190|
||mail.excursionesdesiertomarrakech.com.||A|148.251.52.190|

_az · February 23, 2021, 9:44am

You'll also need to login to your domain registrar (Enom?) and disable DNSSEC there as well.

agrodi · February 23, 2021, 9:54am

Thanks _az I think it is plesk. Disable DNSSEC? I deleted the DS I created related to this DNSKEY. Actually I migrated my domain and from there I have this problem. Even before I tried to create the DNSKEY I had this and there are no DS on my DNSSEC

Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 2286, DigestType 2, Digest xNsU2ILKpwie6vliJVbMWWJwMr57wLMSMLNN+XzEqvU=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

_az · February 23, 2021, 6:26pm

According to the domain registry, your domain still has DS records published.

$ dig +noall +answer @e.gtld-servers.net excursionesdesiertomarrakech.com ds
excursionesdesiertomarrakech.com. 86400 IN DS   2286 13 2 C4DB14D882CAA7089EEAF9622556CC59627032BE7BC0B31230B34DF9 7CC4AAF5

Getting rid of these needs to be done via your domain registrar.

If you have already disabled DNSSEC at your domain registrar, then you may need to wait a bit, or contact your domain registrar.

agrodi · February 23, 2021, 10:00am

Oh great thanks! Yes actually it is not and it has never been on my DNSSEC I think old stuff I m gonna contact

JuergenAuer · February 23, 2021, 10:14am

Hi @agrodi

DNSSEC has two fundamental parts: A DS RR in the parent zone and a matching DNSKEY in the signed zone.

So if you migrate your domain and if you create a new DNSKEY, you (or your registrar) must update the DS RR in the parent zone. Or must remove the DS RR -> zone is not longer signed.

Normally:

Disable DNSSEC on your old DNS provider, check, if the missing DS is propagated
Change your DNS provider
Create a new DNSKEY + a new DS

agrodi · February 23, 2021, 10:22am

Thank you. On my old registrar they told me that the domain is already transferred and today my subscription expires. I ve found that this signature exipires the 1st of march. Are these signatures autorenew? Or normally even if I cant find this DS RR (that is not displaying on my DNSSEC) it will disapear on this date?

JuergenAuer · February 23, 2021, 6:26pm

You must do that before transferring a domain. Now it's too late.

Normally yes, nobody wants to update these RR manual.

The DS is in the parent zone, not in your zone.

Check, if you can enable and disable DNSSEC. Enabling should update the DS, disabling should remove the DS.

schoen · February 23, 2021, 6:08pm

Wait, registrars continue publishing DNS RRs for domains that are no longer registered through them? That doesn't seem like something registries (or customers) would like very much...

JuergenAuer · February 23, 2021, 6:13pm

They may not continue, but samples in this forum:

Looks like some registrars don't remove existing DS RR after a domain is transferred.

Old provider with DNSSEC -> Domain transferred to a new provider without DNSSEC -> DS exists some days with old values -> fatal.

imprahlad · February 24, 2021, 7:17am

ohh thanks, if you can enable and disable DNSSEC. Enabling should update the DS, disabling should remove the DS.

agrodi · February 24, 2021, 11:39am

Thanks I ve asked on my hosting to disable this DNSSEC. I dont know for what "enabling" first? Disabling should be enough, isnt it?