DNS problem getting certificate


#1

Hello!

On a Linuxserver I did the following:

./letsencrypt-auto certonly --standalone --force-renew --rsa-key-size 4096 -d bitcorner.de -d www.bitcorner.de -d mail.bitcorner.de -d listen.bitcorner.de

and get

Failed authorization procedure. listen.bitcorner.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for listen.bitcorner.de

What could be the problem? I get no errors looking up the subdomain from outside:

host listen.bitcorner.de

listen.bitcorner.de has address 37.120.166.21
listen.bitcorner.de has IPv6 address 2a03:4000:6:4123::1

Greetings and thanks for any help!


#2

I get errors checking from outside for listen.bitcorner.de and also checking with online DNS checkers (which show errors ) . Google DNS ( 8.8.8.8) returns nothing, and I couldn’t verify with an authoritative DNS server for that domain name.


#3

Google DNS 8.8.8.8 returns no answer even not for bitcorner.de or mail.bitcorner.de

I can dig listen.bitcorner.de at all three authoritative DNS servers second-dns.netcup.net, root-dns.netcup.net and third-dns.netcup.net and get a positive answer.

This A record is many month old and ipv4. Today I added an ipv6 record but the problem with the letsencrypt-auto persists.


#4

if you check at sites like http://www.dnsstuff.com/tools#dnsReport|type=domain&&value=listen.bitcorner.de it reports lots of DNS errors.

I didn’t check bitcorner.de or mail.bitcorner.de - only the one which it was giving an error for.


#5

In the check you made I read:
Nameservers were found, but the domain entered is a non-delegating subdomain. This application checks conformance to standards for delegating domains/subdomains, so many of the following tests could fail (SOA for instance).

I must admit I don’t know the difference between non-delegating subdomain and delegating subdomain but I think the domain should be resolvable newertheless.


#6

I’m also getting a SERVFAIL error, so I’d suggest continuing to investigate what may be wrong with the DNS.

Edit: but then it started working for me! So I’m not sure.


#7

This is where we need the DNS experts (an I’m not one :wink: ). I’ll try and expand on my comments from before though, as I was rather brief in saying " I couldn’t verify with an authoritative DNS server for that domain name". My understanding is;

Let’s Encrypt needs to verify that you have control of the specific domain / subdomain ( listen.bitcorner.de in this case ), so it doesn’t just go to google (or any other DNS provider) and ask for the IP address for the domain, because someone could be doing DNS spoofing or some other issue, so it asks your domain where the authoritative DNS servers are, so it can ask the appropriate, valid, authoritative DNS servers for your IP address.

Once it has the authoritative DNS servers, it checks with those for the IP address.

It is the stage where it’s trying to determine the authoritative DNS servers that it was failing for me. I can go to root-dns.netcup.net and get your IP, but I couldn’t obtain proof that root-dns.netcup.net was an authoritative DNS server for your domain.

A graphical representative of the issue (if that helps ) … http://dnsviz.net/d/listen.bitcorner.de/dnssec/

My understanding is that if Let’s Encrypt can’t identify your authoritative DNS servers, and get the IP from them, it will fail. I’ve run checks in various places, and some succeed in getting an IP using a simple dig, whilst others fail. I suspect this is all to do with the same issue, and if the DNS providers that are checked just accept any answer ( and hence are liable to spoofing ) or if they check that everything is authoritative (like Let’s Encrypt does, amongst others) and hence fail to obtain the IP address.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.