Symptoms
A Let's Encrypt certificate cannot be installed with the following error message:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/6265875139. Details: Type: urn:ietf:params:acme:error:dns Status: 400 Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning
Or with this notice:
Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Your domain in Plesk is hosted on the IP address(es): , but the DNS challenge used another IP address: 203.0.113.3. Please check the actual DNS zone of your domain and make sure that the IP addresses in the DNS zone and for the hosting are the same. Details Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/5B8TL2C3swolx5XyBM871hgUwlQlx_JBAMfuOB3pqOQ. Details: Type: urn:acme:error:unauthorized Status: 403 Detail: Invalid response from http://example.org/.well-known/acme-challenge/PQkwA_59YpHBN7kC2NcUHkaBX2Z8F1GI0QEnxnP81k8: "
- Either the website was just created on a newly registered domain
- Or the domain has just been moved.
When a domain is newly registered or just transferred, it takes up to 4 hours for all DNS servers to redirect the domain towards your hosting with us. Please wait this time and then reapply for the SSL certificate.
Cause
The domain cannot yet be "resolved" by the DNS servers or no A record exists in the domain's DNS.
Solution
- Check the IP address of the web server where your domain resides. Log in to Plesk and remember the IP address listed in the main screen under your domain.
- Check if in My Cloud86 under Domain Names > Managing DNS the domain is added to the correct webhosting package. If not, follow this guide.
- Verify that the domain can now be resolved on the Internet through a website such as https://dnschecker.org. When all DNS servers show green check marks and the correct IP address of the server is listed, you can reapply for the SSL certificate in Plesk.