(CAA) Unable to renew a single domain MAGUSCA.COM

Hi all

Inititally I had thought the NS for this domain responded with SERVFAIL for the CAA check at ns1.fast-hosts.org, but having checked this, the result is:

; <<>> DiG 9.10.6 <<>> @ns1.fast-hosts.org magusca.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48308
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;magusca.com. IN CAA

magusca.com. 2797 IN SOA ns1.livedns.co.uk. administrator.magusca.com. 1410698518 10800 3600 604800 3600

;; Query time: 12 msec
;; WHEN: Fri Nov 03 09:34:44 GMT Standard Time 2017
;; MSG SIZE rcvd: 96

I’ve also tried the http://unboundtest.com website and it doesn’t show an issue? The certificate expires soon, so am looking for some advice as to where the issue actually is. The tool isn’t showing very useful information, so am getting the source to look further. If you are able to perform any tests to point to the location of the issue, that would be greatly appreciated. We have 100+ other websites on the same server (plus 3 other servers) and they are all renewing fine, with the same hosting set up and configuration.

My domain is: www.magusca.com

I ran this command: letsencrypt.exe --renew --baseuri “https://acme-v01.api.letsencrypt.org/

It produced this output:

Checking IIS www.magusca.com (c:\inetpub\root\1660\sites\4510\site) Renew After 13/10/2017
Renewing certificate for IIS www.magusca.com (c:\inetpub\root\1660\sites\4510\site) Renew After 13/10/2017
Authorizing Identifier www.magusca.com Using Challenge Type http-01
Writing challenge answer to c:\inetpub\root\1660\sites\4510\site.well-known/acme-challenge/SzTHOWzSP-APpX3SZ2UMniNEe2Pr7HtjrXl_scy9wOQ
Writing web.config to add extensionless mime type to c:\inetpub\root\1660\sites\4510\site.well-known\acme-challenge\web.config
Answer should now be browsable at http://www.magusca.com/.well-known/acme-challenge/SzTHOWzSP-APpX3SZ2UMniNEe2Pr7HtjrXl_scy9wOQ
Submitting answer
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid

The ACME server was probably unable to reach http://www.magusca.com/.well-known/acme-challenge/SzTHOWzSP-APpX3SZ2UMniNEe2Pr7HtjrXl_scy9wOQ

Check in a browser to see if the answer file is being served correctly. If it is, also check the DNSSEC configuration.
Authorize failed: This could be caused by IIS not being setup to handle extensionless static files.Here’s how to fix that:
1.In IIS manager goto Site/ Server->Handler Mappings->View Ordered List
2.Move the StaticFile mapping above the ExtensionlessUrlHandler mappings. (like this http://i.stack.imgur.com/nkvrL.png)
3.If you need to make changes to your web.config file, update the one at C:\LetsEncrypt\web_config.xml

Renewal failed IIS www.magusca.com (c:\inetpub\root\1660\sites\4510\site) Renew
After 13/10/2017, will retry on next run

My web server is (include version): IIS 8

The operating system my web server runs on is (include version): Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Have you looked at: http://dnsviz.net/d/www.magusca.com/dnssec/

So seems to be because their NS are:


But the NS records in the domain are:

magusca.com. 3600 IN NS ns2.livedns.co.uk.
magusca.com. 3600 IN NS ns1.livedns.co.uk.
magusca.com. 3600 IN NS ns3.livedns.co.uk.


These are the nameservers listed in your domain's WHOIS record:


If they are not correct, you should update them with your domain name registrar.

This isn’t our domain, it’s a customer’s domain (we’re just their web host), so this is what they’ve been set to. If this is what’s causing the problem, I’ll ask them to check that they’re what they should be, but I doubt they’ll know.

Does this client produce any other output or log files that might explain the exact reason that the challenge failed? The certificate authority normally sends a more specific explanation as part of the error, but this wasn’t displayed by the client here.

Queries for www.magusca.com. for query types other than A do have a bizarre and broken response:

$ dig +norecurse @ns1.livedns.co.uk www.magusca.com aaaa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse @ns1.livedns.co.uk www.magusca.com aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39632
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;www.magusca.com.               IN      AAAA

www.magusca.com.        3600    IN      CNAME   magusca.com.
www.magusca.com.        3600    IN      CNAME   www.magusca.com.

;; Query time: 110 msec
;; WHEN: Tue Nov 07 03:43:33 UTC 2017
;; MSG SIZE  rcvd: 61

I think a CNAME is a valid response to an AAAA query, isn’t it?

I still think this mismatch is very out of the ordinary:

#dig @a.gtld-servers.net magusca.com ns
magusca.com. 172800 IN NS ns1.fast-hosts.org.
magusca.com. 172800 IN NS ns2.fast-hosts.org.

#dig @ns1.fast-hosts.org magusca.com ns
magusca.com. 3337 IN NS ns3.livedns.co.uk.
magusca.com. 3337 IN NS ns2.livedns.co.uk.
magusca.com. 3337 IN NS ns1.livedns.co.uk.

It is, but the status code is SERVFAIL and there were two CNAMEs. Either or both of those issues would probably cause a resolver to reject the response.

The different NS records are silly, but all 5 nameservers really do seem to be authoritative for the zone, so it should work fine.

1 Like

Good points there! :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.