DNS problem: SERVFAIL looking up A for css.paged.media

Hi there,

I am trying to issue a certificate for css.paged.media.

ajung@dev ~ $ dig -t NS paged.media

; <<>> DiG 9.11.1-P3-RedHat-9.11.1-2.P3.fc26 <<>> -t NS paged.media
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41734
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;paged.media.                   IN      NS

;; ANSWER SECTION:
paged.media.            86400   IN      NS      ns.namespace4you.de.
paged.media.            86400   IN      NS      ns2.namespace4you.de.

;; Query time: 162 msec
;; SERVER: 213.136.95.10#53(213.136.95.10)
;; WHEN: Fri Nov 03 13:27:09 CET 2017
;; MSG SIZE  rcvd: 91

ajung@dev ~ $ ping css.paged.media
PING css.paged.media(vmd16513.contabo.host (2a02:c207:3001:6513::1)) 56 data bytes
64 bytes from vmd16513.contabo.host (2a02:c207:3001:6513::1): icmp_seq=1 ttl=62 time=37.5 ms

The DNS is properly configured, the related host is reachable .

However LE is unable to verify the DNS entry:

certbot  certonly --standalone -d css.paged.media
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for css.paged.media
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. css.paged.media (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for css.paged.media

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: css.paged.media
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for css.paged.media


  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 786, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. css.paged.media (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for css.paged.media

I also tried the DNS with dnschecker.org and others…all green…just LE hates me.

What could be the problem?

Andreas

There’s a DNSSEC configuration issue. No validating resolver can resolve the domain.

http://dnsviz.net/d/paged.media/Wfxk3A/dnssec/

There’s a DS record set at the registrar, but the domain’s nameservers aren’t doing DNSSEC.

You need to configure DNSSEC on the nameservers (using the configured key), or remove the DS record.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.