DNS problem: SERVFAIL looking up A for chh.lightboxcreative.co.nz

Hey guys,

I just created a new certificate and all went well, but then I ran command to dry run a renewal:
sudo certbot renew --dry-run

and I’m getting a DNS failure, which is strange:

tls-sni-01 challenge for chh.lightboxcreative.co.nz
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/chh.lightboxcreative.co.nz.conf produced an unexpected error: Failed authorization procedure. chh.lightboxcreative.co.nz (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for chh.lightboxcreative.co.nz. Skipping.

Have seen some other advice about adding VirtualHost *:80 to the default, but mine is already set like that.

I’m on Ubuntu 14.04 running Apache

Hi @tinfoilery,

This normally indicates a real problem in the configuration of the nameservers, which can be diagnosed with something like

In this case there's an error reported about SOA records, which could account for the problem you're seeing.

looks like you have solved the issue

as this forum is used for learning it’s always appreciated if users provide feedback such as yes it was the DNS record, fixed it now it’s all working so others can learn

Andrei

@schoen

First off thank you for the help there, I’ve got in touch with the person who has access to the DNS and have asked them to fix the issues.

Secondly @ahaw021 Not sure how you think the issue is fixed as the DNS report still says 2 errors and I retested the command and its still not working for me.

I always send thanks to people who help me, but in this case its still in progress.

hi @tinfoilery

someone has installed a valid certificate on your server that was issued today.

therefore one would assume that you managed to fix the problem?

Not sure who fixed it or installed a working cert

@ahaw021 The problem is not getting a working cert, it’s a test of the dry run of the certificate renewal process, as per the command i put in my original post:

certbot renew --dry-run

I realise it wont affect me for 3 or 4 months or however long the certificate lasts, but i’m looking to sort it now before it becomes urgent.

It appears this is caused by one of the DNS servers for your zone advertising an IPv6 address which it won’t actually respond to.

[roland]$ dig ns lightboxcreative.co.nz +short 
ns2.partnerconsole.net.
ns1.partnerconsole.net.
ns3.partnerconsole.net.
[roland]$ dig aaaa ns2.partnerconsole.net +short 
2403:1400:2:3::4
[roland]$ dig caa chh.lightboxcreative.co.nz @2403:1400:2:3::4

; <<>> DiG 9.10.3 <<>> caa chh.lightboxcreative.co.nz @2403:1400:2:3::4
;; global options: +cmd
;; connection timed out; no servers could be reached

@roland Thanks for the help there.

Does that actually mean its a DNS server issue and not anything I can do on my server? Should I get in contact with the DNS provider?

Does the system not attempt an IPv4 DNS lookup?

Most likely, yes, it’s an issue with your DNS provider and you should get in touch with them. Thanks!

Thanks for all the help @jsha

I’ve contacted the DNS provider with no response. Do you know if there is a workaround? For instance; how was the initial certificate able to be created but now there is a problem with the renewal?

Maybe the IPv6 address used to work, or the other DNS problems didn’t exist at that time?

If you’re not in danger of running into trouble with the rate limits, you can also force the real renewal to see if there is a difference between the staging server and production server (e.g. Certbot’s --force-renewal option).

1 Like

@schoen

Amazing! that was it.

Just the dry run was failing. Thanks a lot. Issue Solved / Irelevant.

Can also confirm that the dry run is still failing.

Check letsencrypt.log. It may have reused a validation from weeks ago, without doing it over again.

(Look for the JSON data structure that contains “identifier”, “status”, “expires”, “challenges”, etc.)

Is this any help?

{
  "identifier": {
    "type": "dns",
    "value": "chh.lightboxcreative.co.nz"
  },
  "status": "invalid",
  "expires": "2017-04-05T01:25:24Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/O8pkotS_woSEaT_rW5cfi9h-9KLa2WBGH-NPpzC5OtY/31955570",
      "token": "bWpM4gugYrZVQtV-XuDkzwAu3U-Fbb-jNBmV1v_9fY0"
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "DNS problem: query timed out looking up A for chh.lightboxcreative.co.nz",
        "status": 400
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/O8pkotS_woSEaT_rW5cfi9h-9KLa2WBGH-NPpzC5OtY/31955571",
      "token": "zWMy_MXwWHn54QaRN26G89XBJCDguiP7MQLSJ4-LwK4",
      "keyAuthorization": "zWMy_MXwWHn54QaRN26G89XBJCDguiP7MQLSJ4-LwK4.RlVZUPyfpnyZCqNKmJwPxpsQ2WDWzbcXzXep96dI8yY",
      "validationRecord": [
        {
          "hostname": "chh.lightboxcreative.co.nz",
          "port": "",
          "addressesResolved": [],
          "addressUsed": ""
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/O8pkotS_woSEaT_rW5cfi9h-9KLa2WBGH-NPpzC5OtY/31955572",
      "token": "1J04lOCbbuNmTlwD5jgBDoR9SAHpqzpyIdZbqu__myo"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.