Status400 mistake

Mirakmal · July 23, 2021, 2:34pm

plz can u give advice why i can not register my ssl certificate?
or may work with my web site without this certificate?

Failed to issue SSL / TLS certificate for avtosales.uz
More details
Failed to create Let's Encrypt SSL / TLS certificate for avtosales.uz. Failed to authorize for the domain.
More details

Details:

Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: for www.avtosales.uz - check that a DNS record exists for this domain

Osiris · July 23, 2021, 2:56pm

There are DNS errors with your domain:

https://dnsviz.net/d/www.avtosales.uz/dnssec/

Strange thing is: when I try to do a dig +trace, I'm not getting any result from your DNS hosting providers DNS servers (ns1.eskiz.uz, ns2.eskiz.uz and ns3.eskiz.uz). But when I query those nameservers separately with dig @ns1.eskiz.uz .., I do get a reply from ns1.eskiz.uz, but ns2.eskiz.uz and ns3.eskiz.uz are REFUSING my query.. (Literal error "REFUSED".) Strange!

In any case, I believe your DNS provider should be able to fix this.

Mirakmal · July 23, 2021, 4:56pm

I connected with my provider they said that I should delete the self-signed certificate. So I am not sure that I delete the right certification?

Osiris · July 23, 2021, 5:00pm

Which provider did you talk to? Because any existing certificate is totally not related with your current faulty DNS.

They can test the DNS servers themselves by running:

dig @ns2.eskiz.uz +norecurse avtosales.uz

That DNS server (and ns3 also by the way) results in an error. While the ns1 server does give a proper reply.

Mirakmal · July 23, 2021, 5:07pm

with eskiz

Osiris · July 23, 2021, 5:10pm

I'm failing to see how the errors at their DNS servers can be caused by your certificate?

To make it more clear, if I ask their ns2 DNS server for your domain, I get REFUSED:

osiris@erazer ~ $ dig @ns2.eskiz.uz +norecurse avtosales.uz

; <<>> DiG 9.16.12 <<>> @ns2.eskiz.uz +norecurse avtosales.uz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 15873
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 3d1211dcf923891ee4c3098760fbf80343bdc9e76be95dc7 (good)
;; QUESTION SECTION:
;avtosales.uz.			IN	A

;; Query time: 145 msec
;; SERVER: 5.182.26.11#53(5.182.26.11)
;; WHEN: Fri Jul 23 19:10:25 CEST 2021
;; MSG SIZE  rcvd: 69

osiris@erazer ~ $

I'm quite interested in their explanation about how the above REFUSED error from their DNS server would be caused by a self-signed certificate on your server.

Mirakmal · July 23, 2021, 5:13pm

what do you propose to do in such a situation?

Osiris · July 23, 2021, 5:13pm

Ask them why their ns2 (and ns3) DNS server is returning a REFUSED status as shown above.

Also: it might be the above error isn't even the acutal problem of your error when getting a certificate: seems your www subdomain isn't configured at all at their DNS servers: that's something you should add to the DNS zone in the DNS zone editor of your domain.

In any case, the REFUSED error should also be fixed, even if it's not the main cause of the error you were getting.

Mirakmal · July 23, 2021, 5:25pm

okay i will reply if provider answer)
thank u

Osiris · July 23, 2021, 5:27pm

And add the www subdomain to your domain in the DNS zone editor

system · August 22, 2021, 5:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.