Challenge failed for domain SERVFAIL

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.fiftonacademy.com

I ran this command:
sudo certbot --nginx

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.fiftonacademy.com
Waiting for verification...
Challenge failed for domain www.fiftonacademy.com
http-01 challenge for www.fiftonacademy.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.fiftonacademy.com
    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for fiftonacademy.com

    • the domain's nameservers may be malfunctioning

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

1 Like
2

You have DNSSEC issues:
https://dnsviz.net/d/fiftonacademy.com/dnssec/

1 Like
3

Thanks for the quick reply. I’m not really sure what DNSSEC means as I’m pretty new to this? Can you please tell me what the issue is or how I can resolve it?

1 Like
5

Okay, so I’m not sure how to delete this post, nor how to close it. But I’ve rectified the issue. The problem was that I forgot to create a CAA record from my digitalocean account

1 Like
6

It’s good that you got it to work, but this is not the true nature of the issue.

You don’t need to create a CAA record, it’s just that doing so has effectively masked a different problem.

The problem here is that you added www.fiftonacademy.com to your DigitalOcean account as the DNS zone, but you needed to instead add fiftonacademy.com, and then create the www subdomain within that DNS zone.

This is probably going to bite you in ass in the future if you don’t fix it now. For example, if you ever want to setup email services.

But it’s up to you.

2 Likes
7

Oh, I see. Thanks a lot. Will change that right now

1 Like
8

So I deleted that domain, and created a new domain, and added the www as a subdomain. My question now is if I still need to create a CAA record. Like is it necessary?

1 Like
9

You don’t, no. It’s optional.

The reason it caused an error the first time is due to the way you created the zone.

1 Like
10

Okay. Thanks for the help

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.