Failed authorization procedure. listen.bitcorner.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for listen.bitcorner.de
What could be the problem? I get no errors looking up the subdomain from outside:
I get errors checking from outside for listen.bitcorner.de and also checking with online DNS checkers (which show errors ) . Google DNS ( 8.8.8.8) returns nothing, and I couldn’t verify with an authoritative DNS server for that domain name.
In the check you made I read:
Nameservers were found, but the domain entered is a non-delegating subdomain. This application checks conformance to standards for delegating domains/subdomains, so many of the following tests could fail (SOA for instance).
I must admit I don’t know the difference between non-delegating subdomain and delegating subdomain but I think the domain should be resolvable newertheless.
This is where we need the DNS experts (an I’m not one ). I’ll try and expand on my comments from before though, as I was rather brief in saying " I couldn’t verify with an authoritative DNS server for that domain name". My understanding is;
Let’s Encrypt needs to verify that you have control of the specific domain / subdomain ( listen.bitcorner.de in this case ), so it doesn’t just go to google (or any other DNS provider) and ask for the IP address for the domain, because someone could be doing DNS spoofing or some other issue, so it asks your domain where the authoritative DNS servers are, so it can ask the appropriate, valid, authoritative DNS servers for your IP address.
Once it has the authoritative DNS servers, it checks with those for the IP address.
It is the stage where it’s trying to determine the authoritative DNS servers that it was failing for me. I can go to root-dns.netcup.net and get your IP, but I couldn’t obtain proof that root-dns.netcup.net was an authoritative DNS server for your domain.
My understanding is that if Let’s Encrypt can’t identify your authoritative DNS servers, and get the IP from them, it will fail. I’ve run checks in various places, and some succeed in getting an IP using a simple dig, whilst others fail. I suspect this is all to do with the same issue, and if the DNS providers that are checked just accept any answer ( and hence are liable to spoofing ) or if they check that everything is authoritative (like Let’s Encrypt does, amongst others) and hence fail to obtain the IP address.