Return code: 400

Hi, I need help.
Can’t install certificate.

My domain is:

I ran this command:

It produced this output: Aug 2

My web server is (include version): Apache 2.2.15-60.el6.centos.4

The operating system my web server runs on is (include version): CentOS-6-amd64

My hosting provider, if applicable, is: Zomro

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ISPmanager Lite 5.113.1

Attached screenshot of my problem.

And info from support my hosting Zomro
May be, it help:

<> DiG 9.9.5 <> ANY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24414 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 2800

;; ANSWER SECTION: 3600 IN NS 3600 IN NS 3600 IN NS 3600 IN SOA 2017072800 3600 3600 604800 86400 3600 IN MX 10 3600 IN A 3600 IN NS 3600 IN MX 20


;; Query time: 17 msec
;; WHEN: Tue Aug 01 09:39:20 MSK 2017
;; MSG SIZE rcvd: 274

Thanks !

Hi @avmart,

I haven’t looked into the underlying technical details of the problem, but I also get a SERVFAIL when I try to look up

You can replicate this by using Google’s public resolver, for example

dig @

By contrast, a query for a different domain succeeds

dig @

Let’s Encrypt does not actually use Google’s public resolver; this is just a quite example to show that other people have trouble doing a DNS lookup for this domain.

The domain has a DS record at the registry, but the DNS servers aren’t using DNSSEC.

@avmart You need to go to your domain registrar and remove the DS record, through some sort of “disable DNSSEC” or “manage DS records” section of their control panel.

Or, of course, you can enable DNSSEC on your nameservers, or switch to nameservers that support DNSSEC. (You would likely still have to change your DS record, though.)

Dear, @mnordhoff !!!
Thank you very very very much!
You were right. The problem was in the DNSSEC.
And now I am a happy owner of a certificate.

Thanks again and good luck ))

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.