DNS problem: SERVFAIL looking up A

A few days ago I made a physical change in one of my servers, the hardware was failing so I changed the hard drive to another new server, configured the same ips (public and private) and everything seemed fine but the next day I noticed that the others servers no longer worked by domain only with the public ip, I just tried to renew the certificate of one of those servers and it gave me a DNS error.

My domain is: nsba.telsurcallcenter.com

I ran this command: certbot renew

It produced this output:

Challenge failed for domain nsba.telsurcallcenter.com
http-01 challenge for nsba.telsurcallcenter.com
Cleaning up challenges
Attempting to renew cert (nsba.telsurcallcenter.com) from /etc/letsencrypt/renewal/nsba.telsurcallcenter.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nsba.telsurcallcenter.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nsba.telsurcallcenter.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nsba.telsurcallcenter.com
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up A for
   nsba.telsurcallcenter.com - the domain's nameservers may be
   malfunctioning; DNS problem: SERVFAIL looking up AAAA for
   nsba.telsurcallcenter.com - the domain's nameservers may be
   malfunctioning

My web server is (include version): Apache

The operating system my web server runs on is (include version): openSUSE Leap 15.1

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.0.0

This really isn't related to Let's Encrypt, or to your web server. Your name servers are returning "SERVFAIL" for that name and nobody can get to your site. Let's Encrypt needs to connect to your site for the most common method of validating that you own it, so it's just reporting the problem it's having connecting.

4 Likes

ok I understand, so it's just saying that it can't connect to my domain :woman_facepalming:t2: I thought it had to do with the DNS

It does. Your DNS is misconfigured, so that means that nobody can get to your domain.

3 Likes

but my server dns are 8.8.8.8 and 4.2.2.2

No, your authoritative name servers according to your domain registrar are:

NS1.MEDIATEMPLE.NET
NS2.MEDIATEMPLE.NET

You can see this site unboundtest.com to see the SERVFAIL

You might also want to see DNSviz site for some errors. This site often helps people with DNS setup problems

3 Likes

When you ping nsba.telsurcallcenter.com from inside the Web server, do you get 127.0.0.1 (or any localhost IP)? If you get public, fix hosts file. If you get a private IP, such as the aforementioned one, fix the .conf files.

1 Like

when pinging the server I receive the public IP

@Karely90 Did you do something to your DNS registrar since around March 31 this year? I saw you got a Let's Encrypt cert for your phone2 domain then. You last got a cert for nsba domain on Feb 22. So, all was well on those two dates.

I see the domain is pending transfer to a new registrar. Is that something you know about? Because that could be related to these problems.

Use site ICANN Lookup and lookup your apex name telsurcallcenter.com. Then look at the Domain Status and you will see what I mean.

3 Likes

Run:

nano /etc/hosts

Add the following inside the hosts file:

127.0.0.1 nsba.telsurcallcenter.com

I recommend adding the public if it's static inside of the hosts file too.

We are working on a problem with the public DNS config. Let's Encrypt servers are not able to resolve the records it needs. What problem are you trying to resolve by adjusting the client's hosts file?

See the links in my post #6 or even results from the Let's Debug test site

2 Likes

The only change I made was to move my server's hard drive to a new server.

Yes, but this change started yesterday and I have had the problem since last week.

1 Like

Because the site doesn't even resolve nameservers, a lot more was done than what was explained above. Replacing a server does not misconfigure DNS at the registrar level.

Once, you fix DNS, you should be able to fix the other problem easily.

Asking a root DNS server who are the authoritative DNS servers for your domain:

nslookup -q=ns telsurcallcenter.com a.gtld-servers.net

telsurcallcenter.com    nameserver = ns1.mediatemple.net
telsurcallcenter.com    nameserver = ns2.mediatemple.net

Asking those servers who are the authoritative DNS servers for your domain:

nslookup -q=ns telsurcallcenter.com ns1.mediatemple.net
Server:  ns1.mediatemple.net
Address:  64.207.128.246
*** ns1.mediatemple.net can't find telsurcallcenter.com: Server failed

nslookup -q=ns telsurcallcenter.com ns2.mediatemple.net
Server:  ns2.mediatemple.net
Address:  70.32.65.137
*** ns2.mediatemple.net can't find telsurcallcenter.com: Server failed

So, the Internet can't find/resolve your entire domain.

2 Likes

Just in case anyone is wondering...
Yes, the DNS servers are responding:

nslookup -q=ns localhost ns1.mediatemple.net
Server:  ns1.mediatemple.net
Address:  64.207.128.246
localhost       nameserver = localhost
localhost       internet address = 127.0.0.1

nslookup -q=ns localhost ns2.mediatemple.net
Server:  ns2.mediatemple.net
Address:  70.32.65.137
localhost       nameserver = localhost
localhost       internet address = 127.0.0.1

nslookup -q=ns mediatemple.com ns1.mediatemple.net
Server:  ns1.mediatemple.net
Address:  64.207.128.246
mediatemple.com nameserver = ns2.mediatemple.net
mediatemple.com nameserver = ns1.mediatemple.net

nslookup -q=ns mediatemple.com ns2.mediatemple.net
Server:  ns2.mediatemple.net
Address:  70.32.65.137
mediatemple.com nameserver = ns2.mediatemple.net
mediatemple.com nameserver = ns1.mediatemple.net
2 Likes

My domain provider told me yesterday that they have started a process to change the mediatemple domain. Do you think that when this change is over, this problem will be resolved?

1 Like

We can only hope. I have no special knowledge on what they plan to do.

But, yes, if you get the public DNS problem fixed you should be able to get certs again. I do not see anything wrong with your client's DNS lookup config. If that was broken your error would be much different. You resolved and connected to the Let's Encrypt server just fine. It just could not reach you back because of the public DNS problem (mediatemple).

2 Likes

Hello everyone, the day before yesterday I finished the transfer of the domain, the DNS were added and that's it, I was able to renew the certificate, thank you all for your help

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.