Renewing SSL certificate stopped working


I’ve been using Let’s encrypt for a few months now without any problems, and suddenly it just stopped working. I changed absolutely nothing on my server or DNS settings but it gives me this error when I click renew in Plesk:

Unable to obtain Let’s Encrypt SSL certificate because of failed challenge for domain “”:
DNS problem: SERVFAIL looking up A for

Domain name:

I would really appreciate any help or tips to fix this problem.
Thank you

This domain has DNSSEC issues:

You’ll need to obtain the correct DS record entry for your domain from your DNS provider and update it with your domain registrar. (Alternatively you could remove the DS record, but this is not recommended since your DNS provider supports DNSSEC.)


Thanks for the quick reply,

are you sure that my DNS provider supports DNSSEC? because I was doubting that.
Do you know where I can obtain de correct DS record entry? is it in my DNS settings or do I need to contact the provider?

I just contacted my domain registrar, they told me that they do not support DNS-SEC. does this mean that I have to move my domainname to another registrar?

Your DNS provider should support DNSSEC because they serve DNSKEY records. The DS record should be available somewhere in their control panel.

It wouldn’t matter if your domain registrar didn’t support DNSSEC, but apparently they do because they have a (wrong) DS record for you!

Even their WHOIS says “DNSSEC: Yes”:

Please ask them why the WHOIS says your domain has DNSSEC and why you have a DS record, if they do not support it.


Thanks for the help Patches, your insights helped to solve the problem for me.

The solution in my case:

The reason lets encrypt suddenly stopped working is because 2 months ago I moved my domainname to another registrar. Even though I changed nothing on my server or settings it turned out that this new provider did not support DNS-SEC. So Lets encrypt did not continue to renew my certificate. (I did not know of DNS-SEC before this issue).

I now moved my domainname to a new registrar that supports DNS-SEC, used the same DNS settings as before and now everything works!

Thank you for the support.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.