My domain is: affilisite.com
It produced this output:
Updating challenge for affilisite.com: acme: error code 400 “urn:ietf:params:acme:error:connection”: dns :: DNS problem: SERVFAIL looking up A for affilisite.com
Hi @emjays
you have ipv4 - addresses ( https://check-your-website.server-daten.de/?q=affilisite.com ):
| Host | T | IP-Address | is auth. | ∑ Queries | ∑ Timeout |
|---|---|---|---|---|---|
| affilisite.com | A | 77.72.1.17 | yes | 1 | 0 |
| AAAA | yes | ||||
| www.affilisite.com | A | 77.72.1.17 | yes | 1 | 0 |
| AAAA | yes |
But you have DNSSEC enabled. So there is a DS record in your parent zone.
1 DS RR in the parent zone found
1 RRSIG RR to validate DS RR found
Algorithm: 8, 2 Labels, original TTL: 86400 sec, Signature-expiration:
13.05.2019, 05:17:24, Signature-Inception: 06.05.2019, 04:07:24, KeyTag 3800,
Signer-Name: com
• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 3800 used
to validate the DS RRSet in the parent zone
0 DNSKEY RR found
Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 31494,
DigestType 2, Digest ayjvf2TsBGVpcOSg1l5UcfjXQPj0L+i3663FDqNgK3Y=),
but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set.
No chain of trust created.
But your zone doesn't have a DNSKEY. So your DNSSEC is invalid.
Rechecked with DNSSEC Analyzer - affilisite.com to see if my tool has a bug - the same result.
Found 1 DS records for affilisite.com in the com zone
DS=31494/SHA-256 has algorithm ECDSAP256SHA256
Found 1 RRSIGs over DS RRset
RRSIG=3800 and DNSKEY=3800 verifies the DS RRset
No DNSKEY records found
affilisite.com A RR has value 77.72.1.17
No RRSIGs found
So fix your DNSSEC or remove the DS entry in the parent zone, so your zone isn't secure.
PS: You have a cPanel certificate:
| CRT-Id | Issuer | not before | not after | Domain names | LE-Duplicate | next LE |
|---|---|---|---|---|---|---|
| 1436454313 | CN=“cPanel, Inc. Certification Authority”, O=“cPanel, Inc.”, L=Houston, C=US, ST=TX | 2019-05-02 00:00:00 | 2019-07-31 23:59:59 | affilisite.com, cpanel.affilisite.com, mail.affilisite.com, webdisk.affilisite.com, webmail.affilisite.com, www.affilisite.com | ||
| 6 entries |
If you use cPanel, you should use cPanel to create a certificate. Perhaps cPanel ignores that DNSSEC error (I don’t know).
Thanks for your help, all sorted now. Can you edit where my site name is included so this page it isn’t indexed by Google?
Thanks
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.