Hi,
I’m having some trouble passing a challenge for ownership of a specific (sub)domain name.
My domain is:
widenet.politicalmashup.nl
I ran this command:
sudo certbot --nginx
It produced this output:
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for
widenet.politicalmashup.nl
My web server is (include version):
nginx/1.10.3 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 16.04 server
What I find strange is that I cannot reproduce the CAA Servfail using any of the domain’s DNS servers. For instance:
$ dig widenet.politicalmashup.nl caa @ns5.firstfind.net
; <<>> DiG 9.10.3-P4-Ubuntu <<>> widenet.politicalmashup.nl caa @ns5.firstfind.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54186
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;widenet.politicalmashup.nl. IN CAA
;; AUTHORITY SECTION:
politicalmashup.nl. 3600 IN SOA ns3.firstfind.nl. hostmaster.firstfind.nl. 2017080101 16384 2048 1048576 14400
;; Query time: 4 msec
;; SERVER: 213.136.15.188#53(213.136.15.188)
;; WHEN: Wed Aug 02 19:25:22 CEST 2017
;; MSG SIZE rcvd: 116
But using Google’s DNS (the default on this server), the CAA query does respond with Servfail:
$ dig widenet.politicalmashup.nl caa
; <<>> DiG 9.10.3-P4-Ubuntu <<>> widenet.politicalmashup.nl caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19670
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;widenet.politicalmashup.nl. IN CAA
;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 02 19:25:32 CEST 2017
;; MSG SIZE rcvd: 55
It could be my misunderstanding, but I was under the impression that the DNS servers associated with the domain name would be used for the ownership challenge.
What should I do to obtain a certificate for this subdomain?
Thanks,
Alex