Challenge failed, type DNS

MaxNomad · April 16, 2024, 11:03pm

Good day all,

While attempting to use Certbot I received a Challenge Failed, type: DNS.

If this subject has already been covered in detail (with a solution) please forgive this post. I saw a few Challenge Failed posts but they looked slightly different. If there's a post that applies to my inquiry please forward me to it.

My domain is: www.vansantgusler.com

I ran this command: sudo certbot certonly --nginx
(and 'sudo certbot --nginx')

It produced this output: Challenge failed (please see screenshot below)

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.5

My hosting provider, if applicable, is: self-hosted on a virtual machine

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Terminal and Webmin 2.111

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot version: 2.10.0

Screenshot with full error message:

Bruce5051 · April 16, 2024, 11:17pm

Hello @MaxNomad, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields these results https://letsdebug.net/www.vansantgusler.com/1880360

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for www.vansantgusler.com/CAA.
DNS response for www.vansantgusler.com had fatal DNSSEC issues: validation failure <www.vansantgusler.com. CAA IN>: nodata proof failed from 162.159.25.158 and 162.159.24.117. Additionally, Cloudflare's 1.1.1.1 resolver reported: proof of non-existence of www.vansantgusler.com. CAA

Also see regarding the DNS and DNSSEC error

Bruce5051 · April 17, 2024, 12:26am

@MaxNomad since you are using the DNS-01 challenge you could get a certificate containing wildcard domain name for *.vansantgusler.com and vansantgusler.com. That would cover www.vansantgusler.com. Since https://letsdebug.net/vansantgusler.com/1880464 get an "OK".

MikeMcQ · April 17, 2024, 1:50am

A CAA record is not required but your DNS server must respond with a proper "not found". Yours does not.

You can reproduce this with https://unboundtest.com

A lookup for a CAA record will fail with a SERVFAIL. But, lookups for A record work fine.

You might try disabling DNSSEC. If a new unboundtest.com CAA query no longer gets a SERVFAIL then retry the cert request

Bruce5051 · April 17, 2024, 1:56am

Yep; that is why I also check vansantgusler.com and suggested the wildcard https://unboundtest.com/m/CAA/vansantgusler.com/YOKNFCKM
as the results look fine

Query results for CAA vansantgusler.com

Response:
;; opcode: QUERY, status: NOERROR, id: 41662
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;vansantgusler.com.	IN	 CAA

;; AUTHORITY SECTION:
vansantgusler.com.	0	IN	SOA	DNS105.REGISTER.com. root.REGISTER.com. 122122822 10800 3600 604800 3600
vansantgusler.com.	0	IN	RRSIG	SOA 13 2 7200 20240425000000 20240404000000 28881 vansantgusler.com. HCs5wjRa3tVtBsTQ2l400WDvh6/DyAaW3cmqQkSZiKDaz8jKdHyXzsRahxVUOhj53spgT17OKFjS5VtH0us4jg==
vansantgusler.com.	0	IN	NSEC	vansantgusler.com. A NS SOA MX TXT RRSIG NSEC DNSKEY
vansantgusler.com.	0	IN	RRSIG	NSEC 13 2 3600 20240425000000 20240404000000 28881 vansantgusler.com. 3ouB/ZXTZwIAJ98SuAPX2lck9wEdGm3xL4vDVg1OUyxYR8tgslAf3HRXMNOJDqNuuMlDdRD/AzdNwECLWyWfxg==

----- Unbound logs -----

MikeMcQ · April 17, 2024, 2:16am

Their DNS / DNSSEC is broken for any "not found" not just CAA (also AAAA for example). They really should fix their DNS.

Working around that with a wildcard on the root domain is hiding fundamental problems. And, I'm not even sure their DNS provider supports an API for that automation.

Bruce5051 · April 17, 2024, 2:20am

Agree. That is why I had pointed them to

MaxNomad · April 17, 2024, 3:16am

First and foremost, many thanks for all the insight and guidance. So far I've gone ahead and disabled the DNSSEC, added Letsencrypt as the CAA record, and plan to ask our service provider about IPV6 to go along with our IPV4 (to add AAAA). I'll be using the aformentioned sites to check and test for errors. Any other oversights with the DNS I should look for would definitely be appreciated. Thanks again!

Bruce5051 · April 17, 2024, 3:25am

@MaxNomad also presently Port 443 (i.e. for HTTPS) is not accessible from the Internet from around the world.
Permanent link to this check report

MaxNomad · April 17, 2024, 3:28am

Thanks for pointing that out... Even though it's open in the firewall I still have it closed (commented out) in the web server config. I was trying to get the cert thing sorted out first.

Bruce5051 · April 17, 2024, 3:29am

That is very safe and practical.

system · May 17, 2024, 3:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot Challenge failed Help	17	1898	April 14, 2023
Some challenges have failed on Nginx Help	5	362	June 22, 2024
Some challenges have failed - NGINX Help	2	152	July 26, 2024
Challenge failed for domain SERVFAIL Help	9	1619	September 3, 2020
Challenge failed Help	19	623	July 28, 2023

Challenge failed, type DNS

Related topics