DNS issues: CNAME does not work. Renew failed

Hello.

Some time ago certbot renew was failed with DNS A record required, but CNAME record is present and worked earlier for long time, what happends?

After failed renew I tried to move the records to cloudflare DNS, but it does not works. I removed the local certificate and got the same error when trying to get a new one

My domain is:
www.reliabletech.ru

I ran this command:
certbot

It produced this output:

[lex-serv@localhost nginx]$ sudo certbot                          
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.reliabletech.ru
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for www.reliabletech.ru

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: www.reliabletech.ru
Type:   dns
Detail: DNS problem: SERVFAIL looking up A for www.reliabletech.ru - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.reliabletech.ru - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version):
nginx 1.20.2

The operating system my web server runs on is (include version):
fedora server 35

My hosting provider, if applicable, is:
selfhosted (my home server)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

Yeah, your DNS is broken. I'm getting the same thing:

 ✘ dan@Dan-MacBook-Pro-2013  ~  host www.reliabletech.ru
Host www.reliabletech.ru not found: 2(SERVFAIL)

Let's Debug indicates the issue is DNSSEC. So no, it has nothing to do with having a CNAME record.

3 Likes

The CNAME doesn't currently work, because of DNSSEC issues.

You have a DS-RR in the parent zone (.ru), but the reliabletech.ru zone (currently) hosted @ Cloudflare doesn't even appear to be signed.

It's possible that this issue appeared because you moved the zone to Cloudflare, without removing the prior DS from the .ru registry. The best thing going forward would now be to talk to your domain registrar (who has access to the .ru zone) and ask them to remove the DS record. If you want to retain DNSSEC, follow Cloudflare's instructions on how to enable DNSSEC on your new zone, but first you need to remove the old DS in any case.

2 Likes

I'm looking at www.reliabletech.ru | DNSViz and can not figure out how to get around this

lexem.ddns.is74.ru is a subdomain of my internet provider DDNS service, there no DS from my old registrar and i can't influence the internet provider DNS

Is this realy a problem with the ddns service?

Earlier with domain registrar's DNS I getting the same issue

Are you the registrant of reliabletech.ru?

The registrant needs to login to the domain registrar (regtime.ru? rf.ru?) and disable DNSSEC for that domain.

DNSSEC requires a matching configuration between the domain registry (.ru) and the DNS host (Cloudflare). Right now, your configuration doesn't match, so the domain is broken. Disabling DNSSEC and setting it up from scratch is what you need to do.

3 Likes

Yes, I'm the registrant.

I disabled DNSSEC of the domain hoster (webnames.ru) and enabled it in cloudflare. Let's wait for the DNS propogation

1 Like

Also be aware that the ru. nameservers could be (actually are, I think) under "unusual" load due to several DDoS attacks aimed at Russia.

1 Like

Yes, but I've had this problem since February 7th

1 Like

Unforunately it doesn't help for me

Is there any ideas?

It doesn't matter too much for your users. Queries get cached by their resolver, but authoritative nameservers need to respond at least once every hour per hostname per record.

(I tried three times, one timed out)

I see this record:

reliabletech.ru.        345600  IN      DS      65449 8 1 5D628058A52586FCFA95E93870D433F85B22EF59

Is it the new one or the old one?

345600 seconds is a lot of time.

1 Like

I think it is old. Current is (from cloudflare settings)

reliabletech.ru. 3600 IN DS 2371 13 2 AE20793D9CC431B7A28CA2ECCBCEB150CADABC020386F9E52BA291C47F619763

Then you should wait. The ru. registry hasn't updated the record.

$ dig ds reliabletech.ru @$(dig +short ns ru. | head -n 1) +short
65449 8 1 5D628058A52586FCFA95E93870D433F85B22EF59

You did add the new one in your registrar panel, did you?

1 Like

I just disabled DNSSEC of the domain hoster and enabled it in cloudflare

But you still need to add the record cloudflare gives you in the registrar's panel.

2 Likes

works fine now, tnx

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.