DNS problem: SERVFAIL looking up A for domain.com and TXT for _acme-challenge


#1

Hi, I have problems to renew via AutoSSL the Let´sEncrypt certificate of my site: entrenandofacilitadores.com, which worked fine ( I think) until I changed de DNS Nameservers indicated by my hosting provider.

This domain, is configurated as an ADDOn Domain of an main domain.

I wil be grateful to receive help, since I do not dominate this topic in depth.

My domain is: entrenandofacilitadores.com

I ran this command: AutoSSL (is running in auto)

It produced this output:

An error occurred the last time AutoSSL ran, on 31 de octubre de 2018:_

MASTER DCV: DNS problem: SERVFAIL looking up A for entrenandofacilitadores.com (urn:acme:error:dns) DNS problem: SERVFAIL looking up TXT for _acme-challenge.entrenandofacilitadores.com (urn:acme:error:dns)

Note: in the Zone editor of my domain, I see an A Record for: entrenandofacilitadores.com, and a TXT Record for: _acme-challenge.entrenandofacilitadores.com.

My web server is (include version):

The operating system my web server runs on is (include version):
Versión Apache:2.4.35
Versión PHP:5.6.38
Versión MySQL:5.6.41
Arquitectura:x86_64
Sistema operativo:linux
Dirección IP compartida:192.154.97.34

My hosting provider, if applicable, is:Lifetime.hosting

I can login to a root shell on my machine (yes ):

I’m using a control panel to manage my site: Cpanel version 76.0 (build 1)


#2

Hi @360sms

checked with nslookup - no problem. But checked with letsdebug:

https://letsdebug.net/entrenandofacilitadores.com/7339

DNS response for entrenandofacilitadores.com had fatal DNSSEC issues: validation failure <entrenandofacilitadores.com. CAA IN>: No DNSKEY record from 167.99.13.233 for key entrenandofacilitadores.com. while building chain of trust

Looks like a wrong DNSSEC - configuration.


#3

Hi @JuergenAuer, very nice of you to repply.

Those IP from letsdebug.net test, 167.99.13.133 and 138.197.210.34 are of the my DNS Nameserver.

Watching the Zone Editor for my domain, I see that I do not have de DNSSEC option (only +A Record, +CNAME Record, +MX Record and Admin).

Could you give me some idea to guide any solution at this point of DNSSEC ?

I´ll be very reatful.


#4

You have to either remove the DS record at your domain registrar (CDmon) to completely disable DNSSEC, or enable it at your DNS provider (Lifetime.Hosting), if they support it. (You may have to change the DS record, too.)


#5

Hi @mnordhoff, thanks for your repply.

Watching my Registrar (CDmon), I didn´t find any DS Record and DNSSEC function, and in my DNS provider I did´n t see that suport it.
I will continue investigating to find some clue.

Thanks again, if you have any other possible idea.


#6

I’ve never used CDmon (and can’t read Spanish) so I can’t help much.

Look around their control panel for DS or DNSSEC settings. It might be near DNS settings, or nameserver settings, or somewhere else.

Check their documentation.

If you can’t find anything, contact their support.

If they refuse to help, the only option left would be to transfer your domain to a different registrar.

Edit: Did you buy the domain directly from CDmon, or through some sort of reseller?


#7

OK, very useful your help !!. I am going to contact Tech support and see the possibilities.

The domain was purchased in other provider, but transfered to CDmon.