Certificate installation issues

sahabi · March 8, 2017, 9:49am

Hi there,
Please I need your help!!!
I am trying to install LetsEncrypt certificate on my zimbra server (8.7.0) which is installed on ubuntu 14.04. My domain name is uam.edu.ne. I have been strugling on this for several weeks now but in vain.
After downloading the certificate I cd to Letsencript directory and typed the command below:
./letsencrypt-auto certonly --standalone
When the command executed it returned the following output:

Failed authorization procedure. uam.edu.ne (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for uam.edu.ne

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: uam.edu.ne
Type: connection
Detail: DNS problem: SERVFAIL looking up A for uam.edu.ne

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Please help me.
thank you in advance

danb35 · March 8, 2017, 2:26pm

There's your problem--the Let's Encrypt servers couldn't find any DNS record for your hostname, because they couldn't connect to the authoritative nameserver for your hostname. I note that you have only one nameserver record, which is generally a bad idea, and that you're running it yourself (indeed, on the same machine), which is also often a bad idea. But with that said, I'm now able to connect to your nameserver, and it does respond to queries for your hostname--what happens if you try again?

schoen · March 8, 2017, 7:04pm

I think the problem is possibly:

uam.edu.ne has IPv6 address ::1

In IPv6 this refers to localhost. So it’s not really the correct IPv6 address under which other people can reach the site.

While this wouldn’t normally cause a SERVFAIL error in particular, it’s still a serious DNS problem because the Let’s Encrypt CA now does support, and perform, validations over IPv6. So if you give ::1 as your IPv6 address instead of a correct publicly-reachable IPv6 address, I imagine that would cause problems too.

mnordhoff · March 8, 2017, 9:40pm

I just tried to issue a (staging) certificate for that site, and the DNS worked. Of course validation failed because i don’t control your website, but the DNS part functioned correctly.

http://dnsviz.net/d/uam.edu.ne/dnssec/

The DNS servers for the .ne TLD look buggy and/or unreliable. Which may partly or entirely be because of the distance between Africa and US services.

What happens if you try again? It may have just been a temporary issue that will work if you give it a couple tries.

You should still remove that ::1 AAAA record so it doesn’t cause problems for your site’s visitors, though.

sahabi · March 9, 2017, 10:03am

Hi mnordhoff,
Thank you very much for your prompt response.
As you suggested we have removed the ::1 AAAA record and gave it several tries but unfortunately we continue having the same error message as follows:

Failed authorization procedure. uam.edu.ne (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for uam.edu.ne

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: uam.edu.ne
Domain: uam.edu.ne
Type: connection
Detail: DNS problem: SERVFAIL looking up A for uam.edu.ne

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

sahabi · March 9, 2017, 10:25am

Hi mnordhoff,
Thank you very much for your prompt response.As you suggested we have removed the ::1 AAAA record and gave it several tries but unfortunately we got another error message as follows:

Failed authorization procedure. uam.edu.ne (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 41.138.51.99:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: uam.edu.ne
Type: connection
Detail: Failed to connect to 41.138.51.99:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Best regards!!!

schoen · March 10, 2017, 1:40am

The TLS-SNI-01 connection failure shows that it got further than before! That’s a new problem!

system · April 9, 2017, 1:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Some letsencrypt servers apparently have bad DNS configuration Help	2	107	April 23, 2025
Trouble creating certificates for exchange server. Any ideas? Server	1	2220	February 22, 2016
Newbie problem generating cert Help	10	3668	March 3, 2016
PROBLEM : Correct zName not found for TLS SNI challenge Help	8	1989	June 9, 2016
Using Certbot for TLS-SNI Challenge on pfSense Firewalls Help	7	2880	July 6, 2017

Certificate installation issues

Related topics