Renewing SSL certificate stopped working

BestPhone · August 28, 2017, 7:39am

Hello,

I’ve been using Let’s encrypt for a few months now without any problems, and suddenly it just stopped working. I changed absolutely nothing on my server or DNS settings but it gives me this error when I click renew in Plesk:

Unable to obtain Let’s Encrypt SSL certificate because of failed challenge for domain “bestphone.nl”:
DNS problem: SERVFAIL looking up A for bestphone.nl

Domain name: https://bestphone.nl/

I would really appreciate any help or tips to fix this problem.
Thank you

Patches · August 28, 2017, 7:57am

This domain has DNSSEC issues:

http://dnsviz.net/d/bestphone.nl/dnssec/

You’ll need to obtain the correct DS record entry for your domain from your DNS provider and update it with your domain registrar. (Alternatively you could remove the DS record, but this is not recommended since your DNS provider supports DNSSEC.)

BestPhone · August 28, 2017, 8:12am

Thanks for the quick reply,

are you sure that my DNS provider supports DNSSEC? because I was doubting that.
Do you know where I can obtain de correct DS record entry? is it in my DNS settings or do I need to contact the provider?

BestPhone · August 28, 2017, 8:13am

I just contacted my domain registrar, they told me that they do not support DNS-SEC. does this mean that I have to move my domainname to another registrar?

Patches · August 28, 2017, 8:36am

Your DNS provider should support DNSSEC because they serve DNSKEY records. The DS record should be available somewhere in their control panel.

It wouldn’t matter if your domain registrar didn’t support DNSSEC, but apparently they do because they have a (wrong) DS record for you!

Even their WHOIS says “DNSSEC: Yes”:

https://who.is/whois/bestphone.nl

Please ask them why the WHOIS says your domain has DNSSEC and why you have a DS record, if they do not support it.

BestPhone · August 28, 2017, 10:36am

Thanks for the help Patches, your insights helped to solve the problem for me.

The solution in my case:

The reason lets encrypt suddenly stopped working is because 2 months ago I moved my domainname to another registrar. Even though I changed nothing on my server or settings it turned out that this new provider did not support DNS-SEC. So Lets encrypt did not continue to renew my certificate. (I did not know of DNS-SEC before this issue).

I now moved my domainname to a new registrar that supports DNS-SEC, used the same DNS settings as before and now everything works!

Thank you for the support.

system · September 27, 2017, 10:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to obtain Let's Encrypt SSL certificate because of failed challenge for domain "": DNS problem: SERVFAIL looking up A for l Help	3	2796	August 17, 2017
Trouble Renewing Certificate Help	3	665	March 27, 2019
DNS Problem: SERVFAIL Help	8	1731	June 11, 2021
Failed renewal [Solved: DNSSEC problem] Help	4	2321	June 7, 2017
DNS problem: SERVFAIL looking up A for www.rnelnet.com DNSSEC issue? Help	4	1462	September 13, 2019

Renewing SSL certificate stopped working

Related topics