DNS Lookup of A and AAAA Records on DigitalOcean Failed

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: uploads.sellingafrica.com

I ran this command: ```
sudo certbot --apache -d uploads.sellingafrica.com -d www.sellingafrica.com


It produced this output: 
Failed authorization procedure. www.sellingafrica.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for www.sellingafrica.com, uploads.sellingafrica.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for uploads.sellingafrica.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.sellingafrica.com
   Type:   connection
   Detail: dns :: DNS problem: SERVFAIL looking up A for
   www.sellingafrica.com

   Domain: uploads.sellingafrica.com
   Type:   connection
   Detail: dns :: DNS problem: SERVFAIL looking up A for
   uploads.sellingafrica.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Ubuntu 18.04 VPS

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean (https://digitalocean.com)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot):certbot 0.31.0
#2

Hi @ayez1389

your DNSSEC is broken ( https://check-your-website.server-daten.de/?q=uploads.sellingafrica.com ):

You have ipv4- and ipv6 - addressed defined

Host T IP-Address is auth. ∑ Queries ∑ Timeout
uploads.sellingafrica.com A 178.128.32.123 yes 2 0
AAAA 2a03:b0c0:1:e0::420:8001 yes
www.uploads.sellingafrica.com C uploads.sellingafrica.com yes 1 0
A 178.128.32.123 yes
AAAA 2a03:b0c0:1:e0::420:8001 yes

but your DNSSEC:

1 DS RR in the parent zone found

	1 RRSIG RR to validate DS RR found

	Algorithm: 8, 2 Labels, original TTL: 86400 sec, Signature-expiration: 
19.05.2019, 05:40:40, Signature-Inception: 12.05.2019, 04:30:40, 
KeyTag 3800, Signer-Name: com

	• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 3800 used to 
validate the DS RRSet in the parent zone

	0 DNSKEY RR found

	Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 48123, DigestType 2, 
Digest czxzJKOJem7VA0zXhegacwfpn6sRdNy+7EmBQXgAGCU=), but the 
destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. 
No chain of trust created.

Your parent zone has a DS record, so your parent zone confirms that your zone is signed.

But your zone doesn’t have a DNSKEY with these values of the parent DS RR. So your local DNSSEC is broken -> your ipv4 and ipv6 addresses are not signed.

Result: Letsencrypt can’t use these ip addresses -> NXDOMAIN, no A-record found.

So

  • remove the DS entry in your parent zone (not good) (or)
  • fix your DNSSEC.

Perhaps you have used DNSSEC and changed to a new hoster without DNSSEC support.

But DNSSEC is a great feature.

1 Like
#3

Thank you so much for your prompt response. I just contacted my domain name service provider and they instructed i request lets encrypt provide a DNSSEC record and add it in the active DNS zone. So please is this something that is possible?

2 Likes
#4

Thank you once more. It appears my domain name registrar had poor understanding of the problem. So i decide to remove the current DNSSEC records and voila the issue is solved. Prompt response thank you i really appreciate it.

2 Likes
#5

Sounds curious. If you have (or not have) DNSSEC, that has nothing to do with Letsencrypt.

But if you use DNSSEC, there are two things: The DS in the parent zone and your own valid DNSSEC-configuration (DNSKEY and signed answers). And if that doesn’t work, then it’s critical lto create a Letsencrypt certificate.

1 Like