DNS problem: SERVFAIL looking up A for rednour.net

My domain is: rednour.net

I ran this command: certbot certonly --webroot --config le-config.ini --non-interactive -d rednour.net -d www.rednour.net

It produced this output: Challenge failed for all domains. Upon looking up the challenge, it showed that it was having trouble getting the A records for my domain name on both the WWW and non-WWW. This is strange because I checked and made sure that the records are available via dig, dnschecker.org, intoDns, and Google Dig. Any ideas if this is a problem with Let’s Encrypt or the DNS provider?

It’s worth noting that I have issued certs for other domins both before and after attempting this domain, which would lead me to believe the issue is somewhere outside of my usage of certbot.

See them below:
https://acme-v01.api.letsencrypt.org/acme/authz-v3/778512045
https://acme-v01.api.letsencrypt.org/acme/authz-v3/778512027

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.25.1

1 Like

Hi @retsdev

there are older checks of your domain, created yesterday - https://check-your-website.server-daten.de/?q=rednour.net

ns

Your name server configuration looks curious. Checking the name servers manual:

D:\temp>nslookup -type=NS rednour.net.
rednour.net nameserver = dns015.c.register.com
rednour.net nameserver = dns177.d.register.com
rednour.net nameserver = dns185.b.register.com
rednour.net nameserver = dns131.a.register.com

Looks like there are different configurations.

Unboundtest doesn't see errors - https://unboundtest.com/m/A/www.rednour.net/BNLJQUBA

That's curious, because Letsencrypt uses an unbound version with the same configuration.

And your dns131.a.register.com is buggy:

Nameserver doesn't pass all EDNS-Checks: dns131.a.register.com: OP100: no result. FLAGS: no result. V1: no result. V1OP100: no result. V1FLAGS: no result. DNSSEC: no result. V1DNSSEC: no result. NSID: no result. COOKIE: no result. CLIENTSUBNET: no result.

May be the reason "dns timeout"

"DNS problem: query timed out looking up A for www.rednour.net
DNS problem: SERVFAIL looking up A for rednour.net

Runs there an old dns software?

PS: There is no older certificate, so it's your first certificate.

2 Likes

Thanks Juergen,

With what you have shared it leads me to think the problem lies with the DNS provider’s namerservers behaving incorrectly. I think the best bet would be to move nameservers and see if that works.

2 Likes

If this is possible, yes, that's the easiest solution.

And yep, two checks - two different answers:

Using raw nslookup:

D:\temp>nslookup -type=NS rednour.net.
rednour.net nameserver = dns015.c.register.com
rednour.net nameserver = dns177.d.register.com
rednour.net nameserver = dns185.b.register.com
rednour.net nameserver = dns131.a.register.com

Using the a.gtld-servers.net, one of the authoritative name servers of the net zone:

D:\temp>nslookup -type=NS rednour.net. a.gtld-servers.net.
(root) nameserver = k.root-servers.net
(root) nameserver = l.root-servers.net
(root) nameserver = m.root-servers.net
(root) nameserver = a.root-servers.net
(root) nameserver = b.root-servers.net
(root) nameserver = c.root-servers.net
(root) nameserver = d.root-servers.net
(root) nameserver = e.root-servers.net
(root) nameserver = f.root-servers.net
(root) nameserver = g.root-servers.net
(root) nameserver = h.root-servers.net
(root) nameserver = i.root-servers.net
(root) nameserver = j.root-servers.net

rednour.net nameserver = dns1.srsplus.com
rednour.net nameserver = dns2.srsplus.com

Both results should be the same.

Correct:

D:\temp>nslookup -type=NS server-daten.de.
server-daten.de nameserver = ns.inwx.de
server-daten.de nameserver = ns5.inwx.net
server-daten.de nameserver = ns4.inwx.com
server-daten.de nameserver = ns3.inwx.eu
server-daten.de nameserver = ns2.inwx.de

versus

D:\temp>nslookup -type=NS server-daten.de. a.nic.de.
server-daten.de nameserver = ns5.inwx.net
server-daten.de nameserver = ns4.inwx.com
server-daten.de nameserver = ns2.inwx.de
server-daten.de nameserver = ns3.inwx.eu
server-daten.de nameserver = ns.inwx.de

Both queries with the same result.


An additional check:

D:\temp>nslookup -type=NS rednour.net. dns1.srsplus.com.
rednour.net nameserver = dns185.b.register.com
rednour.net nameserver = dns015.c.register.com
rednour.net nameserver = dns131.a.register.com
rednour.net nameserver = dns177.d.register.com

So the name server of the net zone says: dns1.srsplus.com is the name server.

But that name server says: Ask these other ns.

Looks buggy, but I don't know exact, if such a dns configuration is allowed.

1 Like

There were “unspecified” issues with register.com that have since been resolved and my domain has been validated by Let’s Encrypt.

1 Like

This was also discussed in
DNS problem: SERVFAIL looking up A

It was a problem with register.com that several people were reporting.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.