Challenge failed for domain SERVFAIL

agozie · August 4, 2020, 12:11am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.fiftonacademy.com

I ran this command:
sudo certbot --nginx

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.fiftonacademy.com
Waiting for verification...
Challenge failed for domain www.fiftonacademy.com
http-01 challenge for www.fiftonacademy.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.fiftonacademy.com
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for fiftonacademy.com

the domain's nameservers may be malfunctioning

Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

rg305 · August 4, 2020, 12:27am

You have DNSSEC issues:
https://dnsviz.net/d/fiftonacademy.com/dnssec/

agozie · August 4, 2020, 12:31am

Thanks for the quick reply. I’m not really sure what DNSSEC means as I’m pretty new to this? Can you please tell me what the issue is or how I can resolve it?

agozie · August 4, 2020, 12:56am

Okay, so I’m not sure how to delete this post, nor how to close it. But I’ve rectified the issue. The problem was that I forgot to create a CAA record from my digitalocean account

_az · August 4, 2020, 12:58am

It’s good that you got it to work, but this is not the true nature of the issue.

You don’t need to create a CAA record, it’s just that doing so has effectively masked a different problem.

The problem here is that you added www.fiftonacademy.com to your DigitalOcean account as the DNS zone, but you needed to instead add fiftonacademy.com, and then create the www subdomain within that DNS zone.

This is probably going to bite you in ass in the future if you don’t fix it now. For example, if you ever want to setup email services.

But it’s up to you.

agozie · August 4, 2020, 12:59am

Oh, I see. Thanks a lot. Will change that right now

agozie · August 4, 2020, 1:11am

So I deleted that domain, and created a new domain, and added the www as a subdomain. My question now is if I still need to create a CAA record. Like is it necessary?

_az · August 4, 2020, 1:13am

You don’t, no. It’s optional.

The reason it caused an error the first time is due to the way you created the zone.

agozie · August 4, 2020, 1:15am

Okay. Thanks for the help

system · September 3, 2020, 1:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.