Detail: DNS problem: SERVFAIL looking up CAA for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fenixapi.tecnoeste.net

I ran this command: /letsencrypt-auto

It produced this output:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
httpd-2.4.6-97.el7.centos.x86_64

The operating system my web server runs on is (include version):
centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

1 Like

Hi,

Let's Debug and unbound test doesn't show any error for this domain. Can you try again?

https://unboundtest.com/m/CAA/fenixapi.tecnoeste.net/ID72HPXJ

2 Likes

I just updated the certbot

certbot --version

certbot 1.13.0

on dig toolbox i got this

id 50766

opcode QUERY
rcode NOERROR
flags QR RD RA
;QUESTION
fenixapi.tecnoeste.net. IN CAA
;ANSWER
fenixapi.tecnoeste.net. 14399 IN CAA 0 issue "letsencrypt.org"
;AUTHORITY
;ADDITIONAL

2 Likes

Hi Steve,
Now I have this:
blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

2 Likes

Well, that's not true very much also..:

https://unboundtest.com/m/A/fenixapi.tecnoeste.net/JT7MHU7P

@lestaff Could these DNS incidents be related with the current IPv6 issue or is this an unrelated thing we're seeing for the second time today now, perhaps pointing to a different issue at Let's Encrypt regarding DNS? In this case it seems to be only a single hostname having issues..

4 Likes

Hi @vperetti

looks like your name server configuration is fatal - see fenixapi.tecnoeste.net - Make your website better - DNS, redirects, mixed content, certificates

The error is simple:

ns1.basepro.com.br 200.98.29.100

4 name servers with the same ip address.

Minimal 2 name servers in two different subnets are required.

Looks like Letsencrypt creates so much traffic, that a blocking instance blocks.

So you have different, random errors.

PS: Screenshot

2021-04-05.fenixapi.tecnoeste.net

3 Likes

No. I think the issue is, he has four nameservers listed in the NS zone (at least so according to online DNS checker), but the other two are missing from WHOIS.

And looking at @JuergenAuer, those four are on the same IP...
Its just aamazing

P.S. @JuergenAuer: is there any chance you can improve the UI a bit?... It looks weird on mobile devices. :joy:

2 Likes

Hi @stevenzhu

that's correct, see

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns1.basepro.com.br (200.98.29.100): Delegation: ns1.basepro.com.br, ns2.basepro.com.br, Zone: ns3.basepro.net, ns4.basepro.net. Name Servers defined in Delegation, missing in Zone: ns1.basepro.com.br, ns2.basepro.com.br.Name Servers defined in Zone, missing in Delegation: ns3.basepro.net, ns4.basepro.net.

But Letsencrypt doesn't check the zone name servers, only the delegation.

So such a configuration is bad - but not Letsencrypt relevant. A lot of domains have that error - with LE-certificates.

3 Likes

Yes, that's possible, but the workaround that's now in place should have fixed this. If that error message is from before we put the workaround in place, please try again.

4 Likes

Hi James,
Still getting this.
blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

1 Like

Hmm, then it's probably not the known IPv6 issue. Maybe this?

It's interesting that the first errors you reported didn't include During secondary validation, but your most recent error did. That indicates that, at various times, it's been different parts of our validation service that have had trouble reaching you.

3 Likes

Note that I also put forward this hypothesis on a recent thread over here: DNS problem: SERVFAIL looking up CAA - #9 by jsha.

We should set up some tooling to make it easy for us (or a community member) to test this idea by sending simultaneous queries for A, AAAA, and CAA from N different sites to a specific authoritative server and see if we get throttled.

6 Likes

Now this different problem:

blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Challenge failed for domain fenixapi.tecnoeste.net
http-01 challenge for fenixapi.tecnoeste.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: fenixapi.tecnoeste.net
    Type: dns
    Detail: During secondary validation: DNS problem: SERVFAIL looking
    up A for fenixapi.tecnoeste.net - the domain's nameservers may be
    malfunctioning

I cleaned dns settings, remove A and CAA and recreated, removed apache rewrite options and now I could renew certificate.

Thanks for the quick help!

blank to select all options shown (Enter 'c' to cancel): 2
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for fenixapi.tecnoeste.net
Performing the following challenges:
http-01 challenge for fenixapi.tecnoeste.net
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/httpd/conf.d/fenixapi-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/fenixapi.conf to ssl vhost in /etc/httpd/conf.d/fenixapi-le-ssl.conf


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://fenixapi.tecnoeste.net


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/fenixapi.tecnoeste.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/fenixapi.tecnoeste.net/privkey.pem
    Your certificate will expire on 2021-07-05. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

1 Like