cPanel AutoSSl problem: SERVFAIL

Hi

My domain is: zlmar.com

I have full access to WHM/cPanel and attempted to install an SSL certificate on my domain using AutoSSL, but encountered an error:

Log for the AutoSSL run for “zlmar4”: Monday, September 29, 2025 1:24:48 PM GMT+0300 (Let’s Encrypt™)
 1:24:48 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
 Analyzing “zlmar4”’s domains …
 1:24:48 PM Analyzing “zlmar.com” (website) …
 1:24:48 PM ERROR TLS Status: Defective
 Certificate expiry: 9/20/26, 10:52 PM UTC (356.52 days from now)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
 1:24:48 PM Attempting to ensure the existence of necessary CAA records …
 1:24:48 PM No CAA records were created.
 1:24:48 PM Verifying 11 domains’ management status …
 Verifying “Let’s Encrypt™”’s authorization on 11 domains via DNS CAA records …
 1:24:48 PM “cpanel.zlmar.com” is managed.
 “www.zlmar.com” is managed.
 “webmail.zlmar.com” is managed.
 “mail.zlmar.com” is managed.
 “cpcontacts.zlmar.com” is managed.
 “cpcalendars.zlmar.com” is managed.
 “whm.zlmar.com” is managed.
 “ipv6.zlmar.com” is managed.
 CA authorized: “zlmar.com”
 CA authorized: “*.zlmar.com”
 CA authorized: “www.zlmar.com”
 CA authorized: “mail.zlmar.com”
 CA authorized: “cpanel.zlmar.com”
 CA authorized: “webdisk.zlmar.com”
 CA authorized: “webmail.zlmar.com”
 CA authorized: “cpcontacts.zlmar.com”
 CA authorized: “cpcalendars.zlmar.com”
 CA authorized: “whm.zlmar.com”
 1:24:49 PM CA authorized: “ipv6.zlmar.com”
 “Let’s Encrypt™” is authorized to issue certificates for 11 of this user’s 11 domains.
 “webdisk.zlmar.com” is managed.
 “*.zlmar.com” is managed.
 “zlmar.com” is managed.
 All of this user’s 11 domains are managed.
 1:24:49 PM Performing HTTP DCV (Domain Control Validation) on 10 domains …
 1:24:49 PM Local HTTP DCV OK: zlmar.com
 Local HTTP DCV OK: www.zlmar.com
 Local HTTP DCV OK: whm.zlmar.com
 Local HTTP DCV OK: mail.zlmar.com
 WARN Local HTTP DCV error (ipv6.zlmar.com): “ipv6.zlmar.com” does not resolve to any IP addresses on the internet.
 Local HTTP DCV OK: cpanel.zlmar.com
 Local HTTP DCV OK: webdisk.zlmar.com
 Local HTTP DCV OK: webmail.zlmar.com
 Local HTTP DCV OK: cpcontacts.zlmar.com
 Local HTTP DCV OK: cpcalendars.zlmar.com
 1:24:49 PM Verifying local authority for 2 domains …
 1:24:49 PM Local authority confirmed: “ipv6.zlmar.com”
 Local authority confirmed: “*.zlmar.com”
 1:24:49 PM Enqueueing 2 domains (1 zone) for local DNS DCV …
 1:24:49 PM Publishing DNS changes for local DNS DCV (1 zone) …
 1:24:52 PM Querying DNS to confirm DCV changes …
 Processing “zlmar4”’s local DCV results …
 1:24:52 PM Local DNS DCV OK: ipv6.zlmar.com (via zlmar.com)
 Local DNS DCV OK: *.zlmar.com (via zlmar.com)
 Analyzing “zlmar.com”’s DCV results …
 1:24:52 PM Trying 1 wildcard domain (*.zlmar.com) to maximize coverage …
 1:25:02 PM WARN “Let’s Encrypt™” HTTP DCV error (zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:09 PM ERROR “Let’s Encrypt™” DNS DCV error (zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR “Let’s Encrypt™” DNS DCV error (*.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.zlmar.com - the domain's nameservers may be malfunctioning)
 Retrying DCV without the failed wildcard domain …
 1:25:14 PM WARN “Let’s Encrypt™” HTTP DCV error (webmail.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for webmail.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for webmail.zlmar.com - the domain's nameservers may be malfunctioning)
 WARN “Let’s Encrypt™” HTTP DCV error (mail.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for mail.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for mail.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:18 PM WARN “Let’s Encrypt™” HTTP DCV error (cpcontacts.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for cpcontacts.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for cpcontacts.zlmar.com - the domain's nameservers may be malfunctioning)
 WARN “Let’s Encrypt™” HTTP DCV error (whm.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for whm.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for whm.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:19 PM WARN “Let’s Encrypt™” HTTP DCV error (cpanel.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for cpanel.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for cpanel.zlmar.com - the domain's nameservers may be malfunctioning)
 WARN “Let’s Encrypt™” HTTP DCV error (webdisk.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for webdisk.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for webdisk.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:20 PM WARN “Let’s Encrypt™” HTTP DCV error (www.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for www.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.zlmar.com - the domain's nameservers may be malfunctioning)
 WARN “Let’s Encrypt™” HTTP DCV error (cpcalendars.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up A for cpcalendars.zlmar.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for cpcalendars.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:29 PM ERROR “Let’s Encrypt™” DNS DCV error (cpcalendars.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.cpcalendars.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR “Let’s Encrypt™” DNS DCV error (www.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.www.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR “Let’s Encrypt™” DNS DCV error (cpanel.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.cpanel.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR “Let’s Encrypt™” DNS DCV error (webdisk.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.webdisk.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:30 PM ERROR “Let’s Encrypt™” DNS DCV error (mail.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.mail.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR “Let’s Encrypt™” DNS DCV error (webmail.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.webmail.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR “Let’s Encrypt™” DNS DCV error (whm.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.whm.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:34 PM ERROR “Let’s Encrypt™” DNS DCV error (ipv6.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.ipv6.zlmar.com - the domain's nameservers may be malfunctioning)
 1:25:35 PM ERROR “Let’s Encrypt™” DNS DCV error (cpcontacts.zlmar.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.cpcontacts.zlmar.com - the domain's nameservers may be malfunctioning)
 ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
 1:25:35 PM The system has completed “zlmar4”’s AutoSSL check.

I tried all possible commands to check propagation globally, accessed the DNS records, and confirmed everything is working 100%. The site is accessible globally via HTTP, but strangely, AutoSSL still refuses to work.

It's worth noting that the main domain, srvx.ws, along with its nameservers, is owned and fully controlled by me. The nameservers, ns1 and ns2, operate via an anycast DNS cluster. I can ping and test everything with them normally without any issues.

Do you control your authoritative nameserver? Is there some kind of rate limit mechanism in front of it?

Hi,

Yes, I have control; it's a simple cPanel DNSOnly via PowerDNS, and there are no restrictions at all, not even a firewall.

You should check its logs. SERVFAIL is usually kinda hard to diagnose.

I see NOERROR when I query myself, but Let's Debug complains just like the validator: Let's Debug

This thing really surprised me! I've spent a week trying to figure out where the problem is, testing on over 10 servers to check the query and ensuring the domain resolves correctly from any IP and any call. I need someone to help identify the issue here, why is AutoSSL rejecting it?
You can try it yourself for any DNS query using any IP, and you'll see it's working fine. The site even opens normally worldwide, but HTTPS via autoSSL has failed.

I don't know. There's something about your nameserver that Let's Encrypt's resolvers don't like.

Even unboundtest goes NOERROR:

https://unboundtest.com/m/TXT/_acme-challenge.cpcontacts.zlmar.com/RO6NFVAA
https://unboundtest.com/m/CAA/cpcontacts.zlmar.com/NX2DBGCQ

I've talked with the developer for Let's Debug that reproduces your SERVFAIL

He sees that your DNS server "refuses" requests from certain IP ranges. For example, it refuses IP's from a Hetzner hosting service while allowing from other IP in similar locations.

Let's Encrypt does not use Hetzner, this is just an example and a likely avenue for you to check. There is likely some kind of IP (or other pattern) of firewall involved.

I tested from a US-based AWS server and that worked fine. Most of Let's Encrypt's validation servers also are on AWS.

This global DNS tester also had problems from some locales. Maybe check your ISP or hosting service if they have some kind of filter

Hi,

I will double-check that since there is actually no firewall installed. I will test using Hetzner IPs and servers to see if it works and update the results here.
Even the IPs listed on the site here that reject connections on DNS Propagation Checker - Global DNS Testing Tool will accept if you take the IP from the site and test it using the dig command.

I don't often use global DNS checkers as I don't often find them helpful (too many quirks). So not sure how reliable that site is. That Let's Debug reproduces is helpful.

A query is needed to learn the IP of your DNS servers. Let's Encrypt walks the tree of the authoritative name servers.

Actually, I would like to thank you, as the problem is solved. You mentioned some refusal via Hetzner servers, so I tried addressing it directly by sending a request between 2 servers one from hetzner and other to all DNS servers. I detected that I had forgotten to add one DNS node in a specific region, which led to connection refusals in certain locations. Now everything is okay, as the IP and DNS are fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.