Could not issue a Let’s Encrypt SSL/TLS certificate. Authorization for the domain failed.

Symptoms

The website for which you are trying to request an SSL certificate has just been newly registered or moved from another provider and when requesting the certificate (Requesting Free SSL Certificate from Let's Encrypt) you get one of the following messages

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/6265875139. Details: Type: urn:ietf:params:acme:error:dns Status: 400 Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning

Or with this notice:

Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Your domain in Plesk is hosted on the IP address(es): , but the DNS challenge used another IP address: 203.0.113.3. Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same. Details Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/5B8TL2C3swolx5XyBM871hgUwlQlx_JBAMfuOB3pqOQ. Details: Type: urn:acme:error:unauthorized Status: 403 Detail: Invalid response from http://example.org/.well-known/acme-challenge/PQkwA_59YpHBN7kC2NcUHkaBX2Z8F1GI0QEnxnP81k8: "

Cause

  • The domain cannot yet be “resolved” by the DNS servers or no A record exists in the domain's DNS.

Note: that when a domain is newly registered or just moved, it takes up to 4 hours for all DNS servers to point the domain to your hosting with us. Please check if the domain is present at the DNS Zone (Add Domain to DNS Zone) and wait this time and then reapply for the SSL certificate.

Solution

Make sure the A record of the domain points to our server. First we are going to see what is the ip address of the server the Web Hosting Package is on and then we are going to check the DNS settings.

Server ip of web hosting package

  1. Login to My Cloud86 (My Cloud86)
  2. Click in the left menu on My Services
  3. Then click the 3 dots behind the web hosting package where the domain is registered and click View Details.
    My Cloud86: My Services, view details (EN).png
  4. Scroll to the bottom and look at Additional Information, here is the ip address of the server where the Web Hosting Package is active.
    My Cloud86: My Service, server name and ip (EN).png

DNS Instellingen controleren

With the ip address we found above (in our example: 45.82.191.14, replace it with the ip address of your Web Hosting Package), we can check that the A record also points to our server.

  1. In My Cloud86, click in the left menu on Domains and then Manage DNS. Check that the domain has been added to the correct web hosting package. If not, follow Add Domain to DNS Zone.
  2. If the domain is among them click on the pencil icon (this is the Edit DNS zone button). And check that the A record named @ points to the ip address above.
  3. If the above are all good, check that the DNS changes are propagated properly. You can do this with the website https://dnschecker.org. When all DNS servers show green check marks and the correct IP address of the server is mentioned, you can reapply for the SSL certificate in Plesk (Apply for free SSL certificate from Let's Encrypt).

If you need some help, you can always reach our support desk by email support@cloud86.io and on weekdays from 10:00 am to 4:00 pm you can also reach us by phone and via the chat in My Cloud86.