Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.en.kku.ac.th
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.en.kku.ac.th.conf produced an unexpected error: Failed authorization procedure. www.en.kku.ac.th (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.en.kku.ac.th. Skipping.
My web server is (include version): nginx (1.12.1)
The operating system my web server runs on is (include version): Debian 8
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
I tried to ask our DNS administrator team and they said DNS is working normally and can resolve name correctly. But there must be something wrong. Can you help me finding it.
I believe your administrator team is wrong, unfortunately. It seems there are some problems with DNSSEC; here are logs from my own DNS resolver:
Sep 04 12:31:01 named[17181]: validating @0x7f0e84a894e0: en.kku.ac.th SOA: got insecure response; parent indicates it should be secure
Sep 04 12:31:01 named[17181]: error (no valid RRSIG) resolving 'www.en.kku.ac.th/DS/IN': 202.12.97.21#53
Sep 04 12:31:01 named[17181]: validating @0x7f0e84a894e0: en.kku.ac.th SOA: got insecure response; parent indicates it should be secure
Sep 04 12:31:01 named[17181]: error (no valid RRSIG) resolving 'www.en.kku.ac.th/DS/IN': 202.28.117.227#53
Sep 04 12:31:01 named[17181]: validating @0x7f0e8c052150: en.kku.ac.th SOA: got insecure response; parent indicates it should be secure
Sep 04 12:31:01 named[17181]: error (no valid RRSIG) resolving 'www.en.kku.ac.th/DS/IN': 202.12.97.1#53
Sep 04 12:31:01 named[17181]: error (no valid DS) resolving 'www.en.kku.ac.th/A/IN': 202.28.117.227#53
Sep 04 12:31:02 named[17181]: validating @0x7f0e843874f0: www.en.kku.ac.th A: bad cache hit (www.en.kku.ac.th/DS)
Sep 04 12:31:02 named[17181]: error (broken trust chain) resolving 'www.en.kku.ac.th/A/IN': 202.12.97.21#53
If you check your domain using https://unboundtest.com/ (which is set up closely to what Let's Encrypt production servers use), you'll also get error related to broken DNSSEC chain of trust (full log here):
Sep 04 10:38:04 unbound[29994:0] info: NSEC3s for the referral did not prove no DS.
Sep 04 10:38:04 unbound[29994:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass
Sep 04 10:38:04 unbound[29994:0] info: validator operate: query www.en.kku.ac.th. A IN
Sep 04 10:38:04 unbound[29994:0] info: Could not establish a chain of trust to keys for en.kku.ac.th. DNSKEY IN
Sep 04 10:38:04 unbound[29994:0] info: 127.0.0.1 www.en.kku.ac.th. A IN SERVFAIL 4.530659 0 34
@songvut, some system administrators don’t know much about DNSSEC because the DNSSEC checks are only performed by a minority of software. For example, Let’s Encrypt does enforce DNSSEC checks before issuing a certificate—but your browser probably doesn’t enforce them before loading a page!
So it’s quite possible that the administrator loaded the page with a browser or some other tool and said “It’s working fine!” without investigating the DNSSEC situation.