Return code: 400

Hi, I need help.
Can’t install certificate.

My domain is: http://www.krutolife.com/

I ran this command:

It produced this output: Aug 2

My web server is (include version): Apache 2.2.15-60.el6.centos.4

The operating system my web server runs on is (include version): CentOS-6-amd64

My hosting provider, if applicable, is: Zomro

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ISPmanager Lite 5.113.1

Attached screenshot of my problem.

And info from support my hosting Zomro
May be, it help:

<> DiG 9.9.5 <> @ns1.zomro.net krutolife.com ANY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24414 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 2800
;; QUESTION SECTION:
;krutolife.com. IN ANY

;; ANSWER SECTION:
krutolife.com. 3600 IN NS ns4.zomro.su.
krutolife.com. 3600 IN NS ns2.zomro.ru.
krutolife.com. 3600 IN NS ns3.zomro.com.
krutolife.com. 3600 IN SOA ns1.zomro.net. support.zomro.com. 2017072800 3600 3600 604800 86400
krutolife.com. 3600 IN MX 10 mail.krutolife.com.
krutolife.com. 3600 IN A 195.123.211.86
krutolife.com. 3600 IN NS ns1.zomro.net.
krutolife.com. 3600 IN MX 20 mail.krutolife.com.

;; ADDITIONAL SECTION:
ns1.zomro.net. 3600 IN A 212.8.245.252
mail.krutolife.com. 3600 IN A 195.123.211.86

;; Query time: 17 msec
;; SERVER: 212.8.245.252#53(212.8.245.252)
;; WHEN: Tue Aug 01 09:39:20 MSK 2017
;; MSG SIZE rcvd: 274

Thanks !

Hi @avmart,

I haven’t looked into the underlying technical details of the problem, but I also get a SERVFAIL when I try to look up krutolife.com.

You can replicate this by using Google’s public resolver, for example

dig @8.8.8.8 krutolife.com

By contrast, a query for a different domain succeeds

dig @8.8.8.8 google.com

Let’s Encrypt does not actually use Google’s public resolver; this is just a quite example to show that other people have trouble doing a DNS lookup for this domain.

http://dnssec-debugger.verisignlabs.com/krutolife.com
http://dnsviz.net/d/krutolife.com/WYI7gw/dnssec/

The domain has a DS record at the registry, but the DNS servers aren’t using DNSSEC.

@avmart You need to go to your domain registrar and remove the DS record, through some sort of “disable DNSSEC” or “manage DS records” section of their control panel.

Or, of course, you can enable DNSSEC on your nameservers, or switch to nameservers that support DNSSEC. (You would likely still have to change your DS record, though.)

Dear, @mnordhoff !!!
Thank you very very very much!
You were right. The problem was in the DNSSEC.
And now I am a happy owner of a certificate.

Thanks again and good luck ))

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.