Trouble getting a certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.zulileko.co.uk

I ran this command:
Tried to install certificate on new domain in Plesk control panel. No problem previously with other domains on same IP address.

It produced this output:
Error: Could not issue a Let’s Encrypt SSL/TLS certificate for zulileko.co.uk .
Please make sure that your domain is correct and the DNS A record(s) for that domain
contain(s) the right IP address.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/f6eJN_TIjpZvGZOXWOH1kl5xvZuba6wz5j9GDYthoSQ.
Details:
Type: urn:acme:error:unknownHost
Status: 400
Detail: No valid IP addresses found for zulileko.co.uk

My web server is (include version):

The operating system my web server runs on is (include version): not known

My hosting provider, if applicable, is: Phonecoop

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): YES - Plesk 5

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Your domain doesn’t have an A or AAAA record. You’ll need to enter the IP address of your server for the hostname in your DNS configuration panel.

Hi @Julie.Thorpe

I see, you have already checked your domain via https://check-your-website.server-daten.de/?q=zulileko.co.uk

On top, there is the problem:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
zulileko.co.uk A yes 1 0
AAAA yes
www.zulileko.co.uk A 185.25.241.23 yes 1 0
AAAA yes

Your non-www domain doesn't have an IP address, your www has one. So you can't get a certificate with your non-www domain using http-01 validation.

-->> Add an A-record, perhaps the same ip as your www-version. Then check your domain again.

I’ve added an A record for the non-www domain but still can’t get it to work. It isn’t showing up in check-your-website though.

The domain is using different nameservers.

zulileko.co.uk.         172800  IN      NS      ns.123-reg.co.uk.
zulileko.co.uk.         172800  IN      NS      ns2.123-reg.co.uk.

Currently you have to make changes there.

There is no ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
zulileko.co.uk A yes 1 0
AAAA yes
www.zulileko.co.uk A 185.25.241.23 yes 1 0
AAAA yes

In the row of zulileko.co.uk and A - there must be an address.

Compare it with my own domain (A = ipv4 and AAAA = ipv6 are defined - https://check-your-website.server-daten.de/?q=server-daten.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
server-daten.de A 85.215.2.228 yes 1 0
AAAA 2a01:238:301b::1228 yes
www.server-daten.de A 85.215.2.228 yes 1 0
AAAA 2a01:238:301b::1228 yes

I know it needs to have an address in that row - but I don’t know how to get one to appear there. I have set up an A record for zulileko.co.uk with the correct IP address - you can see it in the screen shot I sent, above.

Thanks - I’ll fix that.

There’s al ot of things wrong with your DNS settings.

For example, the MX record for your domain is not mail.zulileko.co.uk, but info.zulileko.co.uk according to the current DNS servers:

;; ANSWER SECTION:
zulileko.co.uk.		14400	IN	MX	10 info.zulileko.co.uk.

But the hostname info.zulileko.co.uk doesn’t exist.

If you’re wondering why e-mail to your domain doesn’t work: that’s probably it.

So I don’t know on which control panel you’re changing those DNS settings, but the registar of your domain name doesn’t point to those nameservers as @mnordhoff already pointed out.

But I can't see it. Not with my online tool, not manual:

D:\>nslookup zulileko.co.uk. ns.123-reg.co.uk.
Server:  ns.hosteurope.com
Address:  212.67.202.2

Name:    zulileko.co.uk

D:\>nslookup zulileko.co.uk. ns1.123-reg.co.uk.
Server:  ns.hosteurope.com
Address:  212.67.202.2

Name:    zulileko.co.uk

D:\>nslookup zulileko.co.uk. ns2.123-reg.co.uk.
Server:  UnKnown
Address:  62.138.132.21

Name:    zulileko.co.uk

No ip address.

Looks like this Plesk DNS server needs to send the entries to these public visible servers.

I'm pretty sure that's not the case, as the NS records are totally different than the actual NS records on the current authorative nameservers. If there was some sort of master/slave set-up, it would also have updated the incorrect NS records. And the TXT records.

But also all those "older" DNS entries, like the TXT, MX and other hostnames are nowhere to be found on the current authorative nameservers.

But how does this Plesk-DNS-Server works?

I’ve never used Plesk, but as user I would think the same as @Julie.Thorpe : The A record is defined.

Well, the only thing I see, is a zone file editor. Surely, if you ask those nameservers directly, you're getting the results you're seeing in that zone file editor.

The problem is: the whole world wide web and it's DNS resolvers are NOT pointing to those mydns0.uk, mydns1.uk or mydns2.uk. No. The DNS servers of the uk TLD are pointing to the nameservers ns1.123-reg.co.uk and ns2.123-reg.co.uk as @mnordhoff showed.

Therefore, every DNS resolver asking for the hostnames of zulileko.co.uk are not pointed to the Plesk DNS zone file as shown in the image. No, they are pointed to a whole different server. Who knows where those servers are managed? Only @Julie.Thorpe can tell us :wink:

For example:
Just as I can generate a zone for letsencrypt.org on my own BIND nameserver. If I use dig directly pointing to my own DNS server, I will get the results I have entered in my BIND zone file for letsencrypt.org. But, as no .org TLD is ever pointing to my DNS server, nobody will ever see my fake letsencrypt.org DNS entries.

2 Likes

Osiris -

Many thanks for your help - you nailed it. I hope I haven’t wasted too much of people’s time here - I’m a bit of a rookie!

So, The NS were set by 123-reg where the domain is managed. The NS records in Plesk were set automatically when the domain was set up on that server to create the website. The two things didn’t match. So I’ve now changed the NS at 123-reg to the mydns0.uk, mydns1.and uk,mydns2.uk ones. And everything is happy now.

Sorry again for taking up your time with a silly mistake and thanks for all your help.
Julie

2 Likes

Yep, now your Nameserver entries are correct.

And there is a direct loop:

https + www -> https + non-www -> https + www

So select one preferred version and remove the redirect from your preferred to your not preferred version.

Remove the A record for the non-preferred version?

No. It's always good to have a non-www and a www-version of the dns entries. Some users add www every time, some users never.

You have one redirect too much. You should remove that redirect or the rule is wrong.

It's your https that is wrong:

Domainname Http-Status redirect Sec. G
http://zulileko.co.uk/
185.25.241.23 301 https://zulileko.co.uk/ 0.076 A
http://www.zulileko.co.uk/
185.25.241.23 301 https://zulileko.co.uk/ 0.074 E
https://zulileko.co.uk/
185.25.241.23 301 https://www.zulileko.co.uk/ 3.350 B
https://www.zulileko.co.uk/
185.25.241.23 301 https://zulileko.co.uk/ 1.650 B

Check the https / 443 vPorts, there may be a wrong redirect rule.

Your http redirects are partial ok (one A, one E). But there is no loop

-->> vHost port 443 / https is to check.

Great - thanks - think I’ve successfully done that now.

Julie

1 Like

Yep, now it's good. You have two correct redirects http -> https and one redirect https + non-www to https + www.

So every user (http, https, non-www, www) sees the same site - https + www and is secure.

A few weeks later, if the renew works, you may add the HSTS header.

But HSTS requires to have always a correct certificate. So it's better you wait if the renew works.

Thank you very much for your help and advice.

Julie

2 Likes