Certbot dns challenge results in servfail error

Hey guys,

I have some issues with getting a certificate for an aws linux server using route53 and certbot with “dns-route53” plugin.

I set up a public hosted zone:
cdk.syrocon.cloud with according iam roles for my ec2 instance.

cdk.syrocon.cloud.
NS
ns-331.awsdns-41.com.
ns-1427.awsdns-50.org.
ns-745.awsdns-29.net.
ns-1950.awsdns-51.co.uk.

I ran this command:
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d cdk.syrocon.cloud

Output is:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cdk.syrocon.cloud


Please deploy a DNS TXT record under the name
_acme-challenge.cdk.syrocon.cloud with the following value:

V38T5yEmL5mx7vXqOWyykxdQnAdaLOVq6vECvuv3WVc

Before continuing, verify the record is deployed.


Press Enter to Continue note: txt created successfully
Waiting for verification…
Challenge failed for domain cdk.syrocon.cloud
dns-01 challenge for cdk.syrocon.cloud
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cdk.syrocon.cloud
    Type: None
    Detail: DNS problem: SERVFAIL looking up TXT for
    _acme-challenge.cdk.syrocon.cloud

According to Route53
Response from Route 53 based on the following options.
DNS request sent to Route 53
_acme-challenge.cdk.syrocon.cloud. IN TXT
EDNS0 client subnet IP
24
DNS response code
NOERROR
Protocol
UDP
Response returned by Route 53
“V38T5yEmL5mx7vXqOWyykxdQnAdaLOVq6vECvuv3WVc”

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.34.2

A dig command results in:
[root@ci ~]# dig @8.8.8.8 _acme-challenge.cdk.syrocon.cloud txt

<<>> DiG 9.9.4-RedHat-9.9.4-73.amzn2.1.2 <<>> @8.8.8.8 _acme-challenge.cdk.syrocon.cloud txt
(1 server found)
global options: +cmd
Got answer:
->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34218
flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

OPT PSEUDOSECTION:
EDNS: version: 0, flags:; udp: 512
QUESTION SECTION:
_acme-challenge.cdk.syrocon.cloud. IN TXT

Query time: 92 msec
SERVER: 8.8.8.8#53(8.8.8.8)
WHEN: Wed May 15 14:39:47 UTC 2019
MSG SIZE rcvd: 62

What am I missing here?

Regards, Mirko

Hi @FuriouZ

checking your domain name there are a lot of refused answers ( https://check-your-website.server-daten.de/?q=cdk.syrocon.cloud ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
cdk.syrocon.cloud Refused yes 1 0
www.cdk.syrocon.cloud Refused yes 1 0

Ok, you don’t need an A-record. But your TXT records:

9. TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
cdk.syrocon.cloud Refused - The name server refuses to perform the specified operation for policy reasons 1 0
_acme-challenge.cdk.syrocon.cloud Refused - The name server refuses to perform the specified operation for policy reasons 1 0
_acme-challenge.cdk.syrocon.cloud.syrocon.cloud Refused - The name server refuses to perform the specified operation for policy reasons 1 0
_acme-challenge.cdk.syrocon.cloud.cdk.syrocon.cloud Refused - The name server refuses to perform the specified operation for policy reasons 1 0

The same - refused.

And curious:

8. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
cdk.syrocon.cloud -5 Refused - The name server refuses to perform the specified operation for policy reasons 1 0
syrocon.cloud 0 no CAA entry found 1 0
cloud 0 no CAA entry found 1 0

Your man domain doesn’t has a refused, your subdomain has.

If a hoster blocks a domain, then some hosters send refused answers. But the main domain doesn’t have a refused. Or is “cdk” a critical word?

Perhaps ask your domain provider why a refused-answer is sent.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.