Authorization Failure - DNS problem: SERVFAIL Looking up CAA

Help
1

I am having trouble reissuing certificates for a domain I control: eurekausd.org. I have several subdomains all with lets encryp certificates. The main domain eurekausd.org is currently protected, and I was able to reissue a certificate for it, but all subdomains are unable to get a certificate. They are: cavitt.eurekausd.org, excelsior.eurekausd.org, greenhills.eurekausd.org, maidu.eurekausd.org, oakhills.eurekausd.org, olympus.eurekausd.org, ridgeview.eurekausd.org, staffdirectory.eurekausd.org, and www.urekausd.org. All are giving an authorization error when trying to renew the certificate. All of them have "renewed 10 times" on them, so they have been working for quite a long time. This error has occurred only recently. It is also the only domain that I control that is having this problem, and I have hundereds with lets encrypt certificates.

The hosting environement is Windows Server running IIS (I believe it is IIS 8.x). We use win-acme to issue the lets encrypt certificates. Currently it is versio 2.1.2.641.x64.pluggable.

When I try and issue the renewal the error is " DNS problem: SERVFAIL looking up CAA for cavitt.eurekausd.org - the domain's nameservers may be malfunctioning" (this error occurs for all of them).

The renewal information for cavitt.eurekausd.org specifically is:
Renewal -----------------------------------------------------------------

Id: WJLK2oH2zESSh2feFkXeCg
File: WJLK2oH2zESSh2feFkXeCg.renewal.json
FriendlyName: [IIS] eurekausd.org.cavitt
.pfx password: ********************************************
Renewal due: 7/16/2022 9:26:50 AM
Renewed: 10 times
Target -----------------------------------------------------------------

  • Plugin: IIS - (IIS)

  • Sites: 118

  • Hosts: All
    Validation -----------------------------------------------------------------

  • Plugin: SelfHosting - (Serve verification files from memory
    (recommended))
    CSR -----------------------------------------------------------------

  • Plugin: RSA - (RSA key)
    Store -----------------------------------------------------------------

  • Plugin: CertificateStore - (Windows Certificate Store)
    Installation -----------------------------------------------------------------

  • Plugin: IIS - (Create or update https bindings in IIS)
    History -----------------------------------------------------------------

1: 2/17/2021 5:17:58 PM - Success - Thumbprint 8879FF08969CA3D547CFDB22A1B2F6848B88B20A
2: 4/14/2021 9:02:21 AM - Success - Thumbprint 207A3527D4DDAFD15F5BF7DC3FDF7E1BE8E94E8A
3: 6/9/2021 9:01:36 AM - Success - Thumbprint 8E283A64608F3409562E656B138CF04599AF74A5
4: 8/3/2021 9:04:07 AM - Success - Thumbprint C90FB9CE5D1A06B63DA7D1B44A391C9B20AEE374
5: 9/28/2021 9:03:37 AM - Success - Thumbprint D050DBC234D353AC336FACCE9B116A5609F2CE7E
6: 9/29/2021 10:54:27 PM - Success - Thumbprint EF5CB0693107B3CE752C55310C889009A29B280E
7: 12/2/2021 9:26:53 AM - Success - Thumbprint A9680AF9C82BA13F88C5E6624EA738A9D480089D
8: 1/28/2022 9:27:03 AM - Success - Thumbprint FD5BAF6DE8BF9E7B881A946EC17BBC326DA305DD
9: 3/25/2022 9:25:32 AM - Success - Thumbprint 5B58E733E52EC29D9A11C9B784CB14ABC3EA2528
10: 5/22/2022 9:26:50 AM - Success - Thumbprint 2A2A5809E15929B9BE9ED8BC0A277CCF467056B1
11: 7/19/2022 9:28:53 AM - Error - Authorization failed
12: 8/1/2022 11:08:08 PM - Error - Authorization failed
13: 8/1/2022 11:09:18 PM - Error - Authorization failed
14: 8/4/2022 10:59:25 PM - Error - Authorization failed

When I try and run the renewal the result is:
[INFO] Force renewing certificate for [IIS] eurekausd.org.cavitt
[INFO] Authorize identifier: cavitt.eurekausd.org
[INFO] Authorizing cavitt.eurekausd.org using http-01 validation (SelfHosting)
[EROR] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: SERVFAIL looking up CAA for cavitt.eurekausd.org - the domain's nameservers may be malfunctioning",
"status": 400

[EROR] Authorization result: invalid
[EROR] Renewal for [IIS] eurekausd.org.cavitt failed, will retry on next run

This domain is a client of mine, and it appears that they have Network Solutions as their domain provider. I don't have direct access to the nameserver, but I can get them to make changes if required.

I have a ton of other domains on Network Solutions as well, and I am not having any other problems that I am aware of.

Any help, or anything I can try to get these certificate renewed would be greatly appreciated.

The weird thing is that I was able to "fix" the the root domain "eurekausd.org" by removing the website from IIS, and redoing the process of setting the lets encrypt SSL using IIS and win-acme, and everything went through perfectly. Then, when the old one (the broken one) went through the renewal process, it was renewed and is running perfectly. I tried the same procedure for cavitt.eurekausd.org and it failed with the same error, and I was unable to create a new certificate.

Thanks,
Josh

2

The DNS resolving library used by the validation server, Unbound, is complaining about DNSSEC when requesting the CAA record for your domain. See https://unboundtest.com/m/CAA/cavitt.eurekausd.org/YDGUQL6G for more info, mainly the last line mentioning "validate(nodata): sec_status_bogus". The rest is next to impossible to decipher IMO.

Strangely enough, DNSViz isn't complaining at all: cavitt.eurekausd.org | DNSViz However, unfortunately DNSViz does not mention the existence of the NSEC resource record returned by the authorative DNS server, even when I explicitely ask DNSViz to request the CAA resource record. One would assume that when a user requests a specific resource record, the software would mention the existence or non-existence of such record.. But alas, DNSViz does not.

So the only thing I can say is "Unbound complains about DNSSEC being bogus", but I have no idea how to debug this further.

5 Likes
3

There is an advanced option DNSViz has (at the top) to also check the non-existence proofs. There we see a lot of errors.

Basically DNSSEC is completly broken in this domain, and every DNSSEC-validating resolver (not only unbound) should complain.

It appears as if for every subdomain of eurekausd.org, the non-existence proofs are broken (NSEC). It sends NSEC proofs for records that result in ANSWER's (i.e. they do exist), and it sends NSEC answers not sufficiently covering the subdomains queried. Note that the apex domain eurekausd.org works properly, its the NSEC proofs for the subdomains that are not valid. The existence proofs for the subdomains appear to be valid again.

This may indicate that the subdomains are improperly configured at worldnic's DNS servers, because it looks like there is some zone mismatch going on internally. However, even when we ignore all the broken NSEC, the entire signing process is non-spec compliant, so it relies on the lenience of resolvers to even work in the first place.

I would advise to talk to whoever manages your DNS(SEC) and inform them that whatever is going on there is no good.

Here is the DNSViz test with advanced options enabled:

https://dnsviz.net/d/cavitt.eurekausd.org/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=

8 Likes
4

I did not know that! Thanks!

5 Likes
5

This domain is registered, and DNS is handled at Network Solutions. I can try contacting them to see if they can "fix" the problems with this specific nameserver.

Thank you for the information.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.