Let's encrypt failing with wrong IP

JayConsulting

• April 07, 2025 09:02

Hello!

I have a site that was earlier under domain.development.domain, but swapped over to fulldomain.com on friday.
Since then I have not been able to install a Lets Encrypt certificate.

 10:32:37 AM WARN Local HTTP DCV error (ppviken.no): The system queried for a temporary file at “http://fulldomain.com/.well-known/acme-challenge/YWRIZG30WTZAI2DNWYII4_WLIKA3D3O6”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist. The domain “fulldomain.com” resolved to an IP address “2600:1901:0000:84ef:0000:0000:0000:0000” that does not exist on this server.

I am not able to find any acme-challenge file at .wellknown/acme-challenge, and the log is crying after an ipv6 IP that does not exist on the server.

Quering the IP for the site provides me with the right IP:

nslookup
> set q=a
> fulldomain.com

Non-authoritative answer:
Name:    fulldomain.com
Address:  10.10.10.10 (Server IP)

ping fulldomain.com

Pinging fulldomain.com [10.10.10.10 (Server IP)] with 32 bytes of data:
Reply from 10.10.10.10: bytes=32 time=38ms TTL=47

Firstly i assumed it was a slow dns propegation, but its been days at this point.
Any clue what could be going on here?

• 

  Andrew

  • April 07, 2025 09:23

  Check NS in DNS Zone Manager and then query the domain name for NS (like with dig fulldomain.com NS) and see if they are matches.

  Andrew N. - cPanel Plesk VMWare Certified Professional
  Do you need immediate assistance? 20 minutes response time!* Open a ticket
  EmergencySupport - Professional Server Management and One-time Services

  0
• 

  JayConsulting

  • April 07, 2025 09:40

  Somehow www.fulldomain.com got its ssl installed, but root is yet to be installed

  0
• 

  JayConsulting

  • April 07, 2025 11:44

  I think i found the error. Current DNS (hostinger) host has added some custom CAA records which i was not able to see in my dashboard.
  Support deleted the records, ill update this thread.

  1
• 

  rbairwell

  • April 09, 2025 10:53

  In your original post you said:

  > The domain “fulldomain.com” resolved to an IP address “2600:1901:0000:84ef:0000:0000:0000:0000” that does not exist on this server.

  Which is an IPv6 address, but you then did:

  nslookup
  > set q=a
  > fulldomain.com

  which would only query the IPv4 address. What does:

  nslookup
  > set q=aaaa
  > fulldomain.com

  return? (AAAA are the IPv6 address entries/equivalent to IPv4's A records)

   

  0
• 

  JayConsulting

  • April 09, 2025 12:39

  Hello rbairwell!
  
  You are absolutely correct. The DNS host dashboard is horrible and didnt show the AAAA record propperly. 
  After i got theire support to remove the IPV6 A record, SSL went thru instantly.
  
  Thanks for the reply eitherway! :)

  0

Please sign in to leave a comment.