Certificate renewal failed for second-level domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

bottebuona.sviluppo.host

I ran this command:

acme-client -v -F bottebuona.sviluppo.host

It produced this output:

acme-client: /tmp/server.key: generated RSA domain key
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/50131692840
acme-client: challenge, token: aJEHC15Mtvo7fSnw_Dn-s0dZ4x2E03Q6rSzKeJViZH4, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/50131692840/neGPPw, status: 0
acme-client: /var/www/html/.well-known/acme-challenge/aJEHC15Mtvo7fSnw_Dn-s0dZ4x2E03Q6rSzKeJViZH4: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/50131692840/neGPPw: challenge
acme-client: order.status 0
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/50131692840
acme-client: challenge, token: aJEHC15Mtvo7fSnw_Dn-s0dZ4x2E03Q6rSzKeJViZH4, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/50131692840/neGPPw, status: -1
acme-client: order.status -1
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/50131692840
acme-client: DNS problem: SERVFAIL looking up CAA for sviluppo.host - the domain's nameservers may be malfunctioning
acme-client: bad exit: netproc(1577070): 1

My web server is (include version):

Apache 2.4.51

The operating system my web server runs on is (include version):

CloudLinux OS 8.4

My hosting provider, if applicable, is:

host.it (I'm representing them)

I can login to a root shell on my machine (yes or no, or I don't know):

Yes, I'm the sysadmin

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes, Directadmin 1.63.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

letsencrypt 2.0.24 (installed from directadmin), but whatever other tool give the same error.

Additional details:

The problem started to appear yesterday and only for the second-level domains of the sviluppo.host zone.
In our case, bottebuona.sviluppo.host is a second-level domain, with a zone containing records as:

www.bottebuona.sviluppo.host

and similar hosts. bottebuona.sviluppo.host itself, resolves to a public IP:

dick$ dig bottebuona.sviluppo.host

; <<>> dig 9.10.8-P1 <<>> bottebuona.sviluppo.host
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35108
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bottebuona.sviluppo.host. IN A

;; ANSWER SECTION:
bottebuona.sviluppo.host. 360 IN A 81.31.149.101

;; Query time: 102 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 17 11:24:43 CET 2021
;; MSG SIZE rcvd: 58

We never had DNSSEC on our zones and the error message appears a bit misleading. To note, we have other zones that we use as second-level domains, such as shared.host.it, used for the public hostnames of our hosting machines.
We also use letsencrypt to generate TLS certificates for the servers hostnames, like web001.shared.host.it and the certs are properly generated.

The name server of the sviluppo.host domain is really malfunctioning, it returns SERVFAIL status:

$ dig CAA sviluppo.host

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Raspbian <<>> CAA sviluppo.host
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38673
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 111fae62651b80070991a467619548aa9dbfc89aa49cf4b2 (good)
;; QUESTION SECTION:
;sviluppo.host.			IN	CAA

;; Query time: 943 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Nov 17 19:23:54 CET 2021
;; MSG SIZE  rcvd: 70

Yeah, nothing about that DNS seems to be working right.

https://dnsviz.net/d/sviluppo.host/dnssec/?rr=1&rr=28&rr=257&a=all&ds=all&ta=.&tk=

• sviluppo.host zone: The server(s) responded over TCP with a malformed response or with an invalid RCODE. (185.84.96.5, 185.84.97.5)
• sviluppo.host zone: The server(s) responded over UDP with a malformed response or with an invalid RCODE. (185.84.96.5, 185.84.97.5)
• sviluppo.host/A: The response had an invalid RCODE (REFUSED). (185.84.96.5, 185.84.97.5, UDP_-_EDNS0_4096_D_KN)
• sviluppo.host/AAAA: The response had an invalid RCODE (REFUSED). (185.84.96.5, 185.84.97.5, UDP_-_EDNS0_4096_D_KN)
• sviluppo.host/CAA: The response had an invalid RCODE (REFUSED). (185.84.96.5, 185.84.97.5, UDP_-_EDNS0_4096_D_KN)

Hi.

Ok, a small additional detail. Last week we upgraded our powerdns and dnsdist installation. Speaking with the PowerDNS developers, it's possible that dnsdist or powerdns changed how they respond to this kind of queries.

To be fair, the sviluppo.host zone never existed in our authoritative DNS, so the update exposed something we were doing wrong anyway.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.