SInce shortly I cannot issue a certificate for my domain

Misho · August 1, 2022, 10:57am

My domain is: vibecyber.eu

the domain is hosted on a virtual server running CentOS and managed via a Plesk control panel. As automatic renewal suddenly failed, I ran this command: "Renew Existing certificate in Plesk" like I always did, when automatic renewal didn't function! I also checked _acme-challenge text records with mx-toolbox prior reload of cert, however, always receiving DNS record check error! Other domains on the same virtual server are renewed automatically without any problem.

It produced this output:
Could not issue an SSL/TLS certificate for vibecyber.eu

Details: Could not issue a Let's Encrypt SSL/TLS certificate for vibecyber.eu. Authorization for the domain failed.

Details: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/137038782846.

Details: Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.vibecyber.eu - the domain's nameservers may be malfunctioning

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS Linux 7.9.2009

My hosting provider, if applicable, is: Hosteurope

I can login to a root shell on my machine (yes or no, or I don't know): yes, I can

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian; Version 18.0.45 Update #2, last updated on July 26, 2022

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using Plesk embedded extensions: letsencrypt (Version 3.0.0-785) and SSL IT (Version 1.11.0-1509)

Appreciate assistance in solving this issue.

MikeMcQ · August 1, 2022, 1:58pm

Welcome to the community @Misho

There is a problem in your DNS config. You have a different Name Server (NS) record for your _acme-challenge.vibecyber.eu domain than for your apex vibecyber.eu. And, that name server has problems. See this site for more info:
https://dnsviz.net/d/_acme-challenge.vibecyber.eu/dnssec/

And, you can use the unboundtest.com site to check your DNS lookups. It uses a similar method to what the Let's Encrypt servers use for DNS lookup so makes it easier to test. You can see the same SERVFAIL error from this test I ran
https://unboundtest.com/m/TXT/_acme-challenge.vibecyber.eu/QK7EHZKI

Misho · August 1, 2022, 6:41pm

Thanks Mike McQ.
I just wonder what happened that my DNS settings got scrambled. I didn't change a thing on that server and it was working until now like a charm.
Your help is truly appreciated and I will check the apex DNS and Zone settings.
Hope I can resolve the issue swiftly....

rg305 · August 1, 2022, 8:48pm

This seems like where "the problem" starts:

nslookup -q=txt _acme-challenge.vibecyber.eu ns1.domaindiscount24.net
_acme-challenge.vibecyber.eu    nameserver = ns.vibecyber.eu
ns.vibecyber.eu internet address = 176.28.18.133

[All three authoritative DNS servers show "ns.vibecyber.eu" as being authoritative for that entry]

It strays far from the expected:

vibecyber.eu    nameserver = ns1.domaindiscount24.net
vibecyber.eu    nameserver = ns2.domaindiscount24.net
vibecyber.eu    nameserver = ns3.domaindiscount24.net

danb35 · August 1, 2022, 9:34pm

That would be expected if using something like acme-dns--but that doesn't seem to be the case here.

MikeMcQ · August 1, 2022, 10:02pm

Yes, poor wording on my part. My sentence "You have a different Name Server ..." was intended as a fact, not the problem description. Just something to help focus further debug. I see now how that could be clearer - thanks.

Misho · August 2, 2022, 10:53am

Thanks All!
Thanks to MikeMcQ's and rg305's hints I found the error last night and need to await DNS propagation to complete to get it hopefully resolved. I had a DNS delegation on my registrar's authoritative NS in place to the VS NS I am operating at my provider and had some uncovered erroneous DNS entries. It seems to work now, as letsencrypt auto renewal went through last night! But to ensure all is set I need to await another 24 hours.

Misho · August 2, 2022, 4:41pm

Problem solved!

Latest unboundtest result:
Query results for TXT _acme-challenge.vibecyber.eu
Response:
;; opcode: QUERY, status: NOERROR, id: 24844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

Issue closed!
Thanks a million, Gentlemen!

system · September 1, 2022, 4:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.