DNS problem: SERVFAIL looking up A for

I am trying to generate a new cert and I am getting the error bellow. I am not seeing problems with A records for that domain, as per nslookup tests:

nslookup

set q=NS
monikericci.com.br
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
monikericci.com.br nameserver = ns2.clicregistro.info.
monikericci.com.br nameserver = ns.clicregistro.info.

Authoritative answers can be found from:

server ns.clicregistro.info
Default server: ns.clicregistro.info
Address: 143.137.191.36#53
set q=A
www.monikericci.com.br
Server: ns.clicregistro.info
Address: 143.137.191.36#53

www.monikericci.com.br canonical name = app.simplo7.net.

server ns2.clicregistro.info
Default server: ns2.clicregistro.info
Address: 143.137.191.37#53
set q=A
www.monikericci.com.br
Server: ns2.clicregistro.info
Address: 143.137.191.37#53

www.monikericci.com.br canonical name = app.simplo7.net.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
monikericci.com.br

I ran this command:
certbot certonly --webroot -w /mnt/nfs/stores/static/20514/ -d monikericci.com.br,www.monikericci.com.br --email suporte@dlojavirtual.com --agree-tos --no-eff-email --manual-public-ip-logging-ok --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/deploy.sh --noninteractive

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.monikericci.com.br
Using the webroot path /mnt/nfs/stores/static/20514 for all unmatched domains.
Waiting for verification…
Challenge failed for domain www.monikericci.com.br
http-01 challenge for www.monikericci.com.br
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.monikericci.com.br
    Type: dns
    Detail: DNS problem: SERVFAIL looking up A for
    www.monikericci.com.br

My web server is (include version):
Apache/2.4.6

The operating system my web server runs on is (include version):
Centos7

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

1 Like

Hi @afagund

checking that domain there are problems visible - https://check-your-website.server-daten.de/?q=monikericci.com.br

X Fatal error: Nameserver doesn’t support TCP connection: ns.clicregistro.info / 143.137.191.36: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns1.alojasegura.com.br: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns2.clicregistro.info / 143.137.191.37: Timeout

Same with Unboundtest:

https://unboundtest.com/m/A/www.monikericci.com.br/UQVTRMBR

Jan 22 13:38:08 unbound[14074:0] info: response for ns2.clicregistro.info. AAAA IN
Jan 22 13:38:08 unbound[14074:0] info: reply from <clicregistro.info.> 143.137.191.36#53
Jan 22 13:38:08 unbound[14074:0] info: query response was nodata ANSWER
Jan 22 13:38:08 unbound[14074:0] error: tcp connect: Connection refused for 143.137.191.36 port 53
Jan 22 13:38:08 unbound[14074:0] error: tcp connect: Connection refused for 143.137.191.36 port 53

So your name servers are buggy.

1 Like

@JuergenAuer, should’nt DNS queries go via por 53 UDP and zone transfers via 53 TCP? Why 53 TCP would be causing this issue?

Authoritative name servers must support TCP-connections.

https://www.iana.org/help/nameserver-requirements

Name server reachability

The name servers must answer DNS queries over both the UDP and TCP protocols on port 53.

So a connection refused is critical. Letsencrypt checks such things with an unbound configuration like Unboundtest. So Unboundtest fails -> Letsencrypt will fail.

2 Likes

@JuergenAuer, thanks for clarifying.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.