DNS problem: No valid IP addresses [was: SERVFAIL looking up CAA]

My domain is: infor-mail.com

I ran this command:

# certbot certonly --test-cert --dry-run --webroot --webroot-path /srv/uxmailer/web/infor-mail/htdocs/www.infor-mail.com/ -d infor-mail.com,www.infor-mail.com,mail.infor-mail.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/infor-mail.com.conf)

It contains these names: infor-mail.com, www.infor-mail.com

You requested these names for the new certificate: infor-mail.com,
www.infor-mail.com, mail.infor-mail.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate

IMPORTANT NOTES:
 - The dry run was successful.

Then, I ran this command:

# certbot certonly --webroot --webroot-path /srv/uxmailer/web/infor-mail/htdocs/www.infor-mail.com/ -d infor-mail.com,www.infor-mail.com,mail.infor-mail.com

And it produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/infor-mail.com.conf)

It contains these names: infor-mail.com, www.infor-mail.com

You requested these names for the new certificate: infor-mail.com,
www.infor-mail.com, mail.infor-mail.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for infor-mail.com
Using the webroot path /srv/uxmailer/web/infor-mail/htdocs/www.infor-mail.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. infor-mail.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for infor-mail.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: infor-mail.com
   Type:   None
   Detail: No valid IP addresses found for infor-mail.com

My web server is (include version):

Apache 2.4.38-3 (Debian), but I bet it doesn't matter in this case.

My hosting provider, if applicable, is: myself, running BIND 9 on other three Debian GNU/Linux servers.

I have SSH root access to all of my servers.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

I might add that I already tried unboundtest.com, it finds the IP address and the CAA record, but it produces a lot of messages (no BOGUS nor FAIL strings in there) and I'm not able to understand if there is anything wrong. Letsdebug.net says it's all ok.

The error in the output shows "No valid IP addresses found for infor-mail.com" and does not mention the SERVFAIL error for the CAA record at all. Where does that latter error come from? Do you have certbot output for that too?

Also, please take a look at the DNSViz output for your domain: infor-mail.com | DNSViz It doesn't look good with 10 errors.. It seems one of the three configured authorative nameservers is responsible (muppet.virtualbit.it.).

Sorry, the SERVFAIL for the CAA record shows up from time to time and it actually showed up for this domain too, before it turned into the "No valid IP addresses" above after I added a CAA record to the domain, but I had already started writing my post and forgot to update the title.

I'm going to fix those 10 errors and try again, thanks for your help.

1 Like

All 10 errors are due to the same malfunctioning nameserver :slight_smile:

Now that nameserver seems to be fixed (dnsviz doesn't show any more errors) but the certbot error I posted above is still there... is there anything else I should try?

What's the exact command and exact output? If I try to get a certificate for your hostname, it fails the challenge (which should obviously happen), but not any other error such as "No valid IP address" or "CAA error".

1 Like

I don't know if it's the problem you're having, but your DNS servers don't support DNS-0x20 case randomization. The DNS servers Let's Encrypt uses to resolve names expect that when you ask for a name, the response comes back with the same case as the query, so they randomize which letters of the query are capitalized which helps mitigate some possible DNS attacks. (This is use-caps-for-id: yes in the Unbound configuration. But your servers always respond with a lowercase-only version of the name.

$ dig +norecurse +bufsize=512 wWw.infor-Mail.cOm @176.9.63.219

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5 <<>> +norecurse +bufsize=512 wWw.infor-Mail.cOm @176.9.63.219
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44577
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;wWw.infor-Mail.cOm.            IN      A

;; ANSWER SECTION:
www.infor-mail.com.     3600    IN      A       78.46.78.100

;; Query time: 96 msec
;; SERVER: 176.9.63.219#53(176.9.63.219)
;; WHEN: Thu May 27 14:16:11 UTC 2021
;; MSG SIZE  rcvd: 81

Note the "Answer Section" is all-lowercase, whereas for most DNS servers it's a copy of the capitalization in the Question Section.

My understanding is that not-echoing-back-capitalization is unusual, though not necessarily wrong, though I'm no RFC lawyer. :slight_smile: But I think it's been a cause of some problems with some other people where DNS answers that unbound see don't seem to match what one expects from other clients. But since it works in unboundtest then this probably isn't really your problem? Maybe?

Sorry, I just noticed it and thought posting about what I found might help, but this post may just be noise.

1 Like

My command is always the same I posted above in my 1st post

If I try to get a certificate for your hostname, it fails the challenge (which should obviously happen)

If you think it could help, I can add a new A record to my zone pointing to any IP address you tell me.

It's probably more helpful if you'd post the output of a recent attempt (as I requested in my previous post too), as the DNS error(s) should be gone now.

Ok I did not made it clear enough: the command I enter and its output are still the same as those in my first post, even if I try to run that again now.

Anyway, if having them copied over here can help, here it is from last run in my terminal, about 20 seconds ago:

# certbot certonly --webroot --webroot-path /srv/uxmailer/web/infor-mail/htdocs/www.infor-mail.com/ -d infor-mail.com,www.infor-mail.com,mail.infor-mail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/infor-mail.com.conf)

It contains these names: infor-mail.com, www.infor-mail.com

You requested these names for the new certificate: infor-mail.com,
www.infor-mail.com, mail.infor-mail.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for infor-mail.com
Using the webroot path /srv/uxmailer/web/infor-mail/htdocs/www.infor-mail.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. infor-mail.com (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for infor-mail.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: infor-mail.com
   Type:   None
   Detail: No valid IP addresses found for infor-mail.com

Very strange, as I'm not seeing any DNS issues when I run certbot for all your domains, just the expected challenge errors.

Could you please share the contents of /var/log/letsencrypt/letsencrypt.log?

I did see it work once or twice on unboundtest, but I now see a SERVFAIL:

https://unboundtest.com/m/A/infor-mail.com/C5OLTF2O

I'm not quite skilled enough at reading the output to understand the problem, though. Is there any chance that your authoritative DNS servers have some sort of firewalling that might be sometimes stopping a system that's doing a bunch of checks at once?

Here's the log:

https://hastebin.com/ewavenozaf.yaml

@petercooperjr there isn't any such firewall that I am aware of, but I don't know if my provider has that by default (Hetzner)

Log doesn't show anything weird.

So Unboundtest gives back sometimes a good CAA record and sometimes a SERVFAIL.. Quite odd..

Not sure how to debug this further, as the logs from Unbound are like, very hard (if not impossible) to decipher..

Tried again a few seconds ago and it worked, but I haven't changed anything. Only tried again just for the sake of it.

Figures, as it seems to work sometimes. I did four runs on Unboundtest of which three were fine and one was not.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.