LetsEncrypt - cannot execute request

K

kimbo

Verified User
Joined
Apr 23, 2013
Messages
59
When I want to request a certificate for one of my domains I get the following:

Cannot Execute Your Request
Click to expand...
Requesting new certificate order...
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxx...
Processing authorization for mudomein.be...
Challenge is valid.
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxx...
Processing authorization for www.mydomain.be...
Waiting for domain verification...
Let's Encrypt was unable to verify the challenge. Unable to update challenge :: authorization must be pending. Exiting...
Click to expand...
So when opening the request on the LE site I see the following:

"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: SERVFAIL looking up CAA for www.mydomain.be - the domain's nameservers may be malfunctioning",
"status": 400
Click to expand...
 
Are you using your own nameservers or external nameservers?
If you are using external nameservers, are you trying to create a wildcard certificat? Because that is not possible with external nameservers. In that case you have to check all things with the checkbox manually.
 
Richard G said:
Are you using your own nameservers or external nameservers?
If you are using external nameservers, are you trying to create a wildcard certificat? Because that is not possible with external nameservers. In that case you have to check all things with the checkbox manually.
Click to expand...

This is the error I get after I added a WIldcard CAA record:
DNS problem: SERVFAIL looking up CAA for www.mydomain.be - the domain's nameservers may be malfunctioning"
Click to expand...

So I did change to none wildcard and even then still the same error. :(
 
Last edited:
Now I ran the LE script via the shell and it seems to be working:
./letsencrypt.sh request mydomain.be 4096 Requesting new certificate order... Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxx... Processing authorization for mydomain.be... Challenge is valid. Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxx... Processing authorization for www.mydomain.be... Challenge is valid. Generating 4096 bit RSA key for mydomain.be... openssl genrsa 4096 > "/usr/local/directadmin/data/users/user/domains/mydomain.be.key.new" Generating RSA private key, 4096 bit long modulus .................................................................................++ ..................................................................................++ e is 65537 (0x10001) Checking Certificate Private key match... Match! Certificate for bevestigd.be has been created successfully!

This time it ran on the domain name without www... so maybe there's something not correct in my dns or DA.
 
That could be. Did you maybe enable a force redirect to www or non www before you tried creating the ssl certificat? That can sometimes cause some odd things.
I presume you have an A record for www and not a cname, which could also caused it.
 
Richard G said:
That could be. Did you maybe enable a force redirect to www or non www before you tried creating the ssl certificat? That can sometimes cause some odd things.
I presume you have an A record for www and not a cname, which could also caused it.
Click to expand...
True I have an A record for www... just removed this record and created a CNAME.
This broke my sites and all went down, weird that it didnt work at all.. even now letsencrypt give another error.
Need to contact my hosting provider and ask why a www CNAME isn't working properly and breaking the A record.
 
Last edited:
I wouldn't use a cname for www because DA always creates an A record for www by default. For Letsencrypt this is easier and less problems.
So I would remove the cname record and put the A record back.
 
So www is back an A record and suddenly letsencrypt works again. ?
 
I had this once too. Might be gone now. However, keep your Letsencrypt up to date and be aware that your nameservers and dns are correct.
Test with at least 2 places, so if you tested with intodns dan also test with dnsstuff to be sure.
Good chance it won't happen again.
 
You must log in or register to reply here.
Back
Top