400 error DNS problem servfail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:just-passed.com

I ran this command:install Lets Encrypt on domain only

It produced this output:Updating challenge for just-passed.com: acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: SERVFAIL looking up A for just-passed.com - the domain's nameservers may be malfunctioning (order URL: https://acme-v02.api.letsencrypt.org/acme/order/89260175/5881475364)

My web server is (include version): Linux

The operating system my web server runs on is (include version):centos 7.8

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):yes centos 7.8

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @webdesign20

there is a check of your domain, 10 minutes old - https://check-your-website.server-daten.de/?q=just-passed.com

There you see the problem, your DNSSEC is broken.

The parent zone says: You use DNSSEC. But your zone doesn't send the required DNSKEY.

Result:

Fatal error: Parent zone has a signed DS RR (Algorithm 8, KeyTag 28076, DigestType 2, Digest Mfb5Ps9Qt11xWcbLqQCgWboer9jOM7BKBjsQj1EOwAk=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

Update your DNSSEC or remove it.

PS: Broken DNSSEC -> it's not possible to find an ip address.

1 Like

Thank you, yes I ran that test from looking at other topics, so just looking into this now but cant find where to update or remove DNSSEC. I am using a reseller account with a host and from there pointing the domain to a dedicated server IP address.

1 Like

It's a problem of your DNS provider, not of your webhosting.

ns.mainnameserver.com - that's your name server, there you have to check that.

Leeds/England/United Kingdom (GB) - Heart Internet Limited

is the company.

1 Like

Yes Juergen, it is Heart Internet, they are trying to say its a fault with my server and letsencrypt. Ok I shall raise this with them again, thank you.

1 Like

Sounds like they don't know the basics about DNSSEC.

See another test:

The delegation status is bogus (that's the same information already shared in other words).

And if a domain uses DNSSEC, but if DNSSEC is broken, there are two options:

  • There is a man in the middle, so the ip is wrong - that's the idea of DNSSEC (or)
  • the DNSSEC configuration is buggy

So Letsencrypt should never create a certificate with that domain name and a broken DNSSEC.

1 Like

I would agree Juergen, this site just went off for no reason this morning and I have been on to support all day long, it took 6 hours to get past first line support who did not know anyting about certificates or DNS. Thank you again for your help, just need to get my customers site back. strange how its only 1 domain on my server out of 300 that I own

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.