example.comis not reachable in some locations. A and/or NS DNS records are not available worldwide:
# dig +short example.com
# dig NS example.com +short
Issuing/renewing a Let's Encrypt certificate may fail with the following error:
Could not issue a Let's Encrypt SSL/TLS certificate for example.com. Authorization for the domain failed. Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/122747466376.
Detail: DNS problem: SERVFAIL looking up A for example.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for example.com - the domain's nameservers may be malfunctioning
DNS was managed externally previously and nameservers have been recently changed to Plesk nameservers:
The issue is caused by the DNSSEC that was used on the external DNS side earlier. The domain contains a DS record in its zone. The DNS zone is signed on the external DNS side, not in Plesk:
# whois example.com | grep 'DNSSEC|Name'
Domain Name: EXAMPLE.COM
Name Server: ns1.externalnameserver.com
Name Server: ns2.externalnameserver.com
DNSSEC DS Data: 2371 8 2 05018AD82430B60DC43FC0816C98797BC62EB67E57AA98AABC82D7ACD5A8CBC1
Apply one of the solutions below:
To completely disable DNSSEC
Remove the DS record from the parent zone on the external DNS side, for example, using the domain registrar's panel.
To fix DNSSEC
- Remove old DS records from the parent zone on the external DNS side.
- Log into Plesk.
- Install the DNSSEC extension.
- Configure DNSSEC for the domain using the following guide.