DNS problem: SERVFAIL looking up A

Karely90 · May 18, 2022, 8:21pm

A few days ago I made a physical change in one of my servers, the hardware was failing so I changed the hard drive to another new server, configured the same ips (public and private) and everything seemed fine but the next day I noticed that the others servers no longer worked by domain only with the public ip, I just tried to renew the certificate of one of those servers and it gave me a DNS error.

My domain is: nsba.telsurcallcenter.com

I ran this command: certbot renew

It produced this output:

Challenge failed for domain nsba.telsurcallcenter.com
http-01 challenge for nsba.telsurcallcenter.com
Cleaning up challenges
Attempting to renew cert (nsba.telsurcallcenter.com) from /etc/letsencrypt/renewal/nsba.telsurcallcenter.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nsba.telsurcallcenter.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nsba.telsurcallcenter.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: nsba.telsurcallcenter.com
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up A for
   nsba.telsurcallcenter.com - the domain's nameservers may be
   malfunctioning; DNS problem: SERVFAIL looking up AAAA for
   nsba.telsurcallcenter.com - the domain's nameservers may be
   malfunctioning

My web server is (include version): Apache

The operating system my web server runs on is (include version): openSUSE Leap 15.1

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.0.0

petercooperjr · May 18, 2022, 8:38pm

This really isn't related to Let's Encrypt, or to your web server. Your name servers are returning "SERVFAIL" for that name and nobody can get to your site. Let's Encrypt needs to connect to your site for the most common method of validating that you own it, so it's just reporting the problem it's having connecting.

Karely90 · May 18, 2022, 9:01pm

ok I understand, so it's just saying that it can't connect to my domain I thought it had to do with the DNS

petercooperjr · May 18, 2022, 9:39pm

It does. Your DNS is misconfigured, so that means that nobody can get to your domain.

Karely90 · May 18, 2022, 10:46pm

but my server dns are 8.8.8.8 and 4.2.2.2

MikeMcQ · May 18, 2022, 10:58pm

No, your authoritative name servers according to your domain registrar are:

NS1.MEDIATEMPLE.NET
NS2.MEDIATEMPLE.NET

You can see this site unboundtest.com to see the SERVFAIL

You might also want to see DNSviz site for some errors. This site often helps people with DNS setup problems

weccode · May 20, 2022, 6:21pm

When you ping nsba.telsurcallcenter.com from inside the Web server, do you get 127.0.0.1 (or any localhost IP)? If you get public, fix hosts file. If you get a private IP, such as the aforementioned one, fix the .conf files.

Karely90 · May 20, 2022, 6:40pm

when pinging the server I receive the public IP

MikeMcQ · May 20, 2022, 7:31pm

@Karely90 Did you do something to your DNS registrar since around March 31 this year? I saw you got a Let's Encrypt cert for your phone2 domain then. You last got a cert for nsba domain on Feb 22. So, all was well on those two dates.

I see the domain is pending transfer to a new registrar. Is that something you know about? Because that could be related to these problems.

Use site ICANN Lookup and lookup your apex name telsurcallcenter.com. Then look at the Domain Status and you will see what I mean.

weccode · May 20, 2022, 7:33pm

Run:

nano /etc/hosts

Add the following inside the hosts file:

127.0.0.1 nsba.telsurcallcenter.com

I recommend adding the public if it's static inside of the hosts file too.

MikeMcQ · May 20, 2022, 7:36pm

We are working on a problem with the public DNS config. Let's Encrypt servers are not able to resolve the records it needs. What problem are you trying to resolve by adjusting the client's hosts file?

See the links in my post #6 or even results from the Let's Debug test site

Karely90 · May 20, 2022, 7:48pm

The only change I made was to move my server's hard drive to a new server.

Yes, but this change started yesterday and I have had the problem since last week.

weccode · May 20, 2022, 7:51pm

Because the site doesn't even resolve nameservers, a lot more was done than what was explained above. Replacing a server does not misconfigure DNS at the registrar level.

weccode · May 20, 2022, 7:53pm

Once, you fix DNS, you should be able to fix the other problem easily.

rg305 · May 20, 2022, 7:55pm

Asking a root DNS server who are the authoritative DNS servers for your domain:

nslookup -q=ns telsurcallcenter.com a.gtld-servers.net

telsurcallcenter.com    nameserver = ns1.mediatemple.net
telsurcallcenter.com    nameserver = ns2.mediatemple.net

Asking those servers who are the authoritative DNS servers for your domain:

nslookup -q=ns telsurcallcenter.com ns1.mediatemple.net
Server:  ns1.mediatemple.net
Address:  64.207.128.246
*** ns1.mediatemple.net can't find telsurcallcenter.com: Server failed

nslookup -q=ns telsurcallcenter.com ns2.mediatemple.net
Server:  ns2.mediatemple.net
Address:  70.32.65.137
*** ns2.mediatemple.net can't find telsurcallcenter.com: Server failed

So, the Internet can't find/resolve your entire domain.

rg305 · May 20, 2022, 7:57pm

Just in case anyone is wondering...
Yes, the DNS servers are responding:

nslookup -q=ns localhost ns1.mediatemple.net
Server:  ns1.mediatemple.net
Address:  64.207.128.246
localhost       nameserver = localhost
localhost       internet address = 127.0.0.1

nslookup -q=ns localhost ns2.mediatemple.net
Server:  ns2.mediatemple.net
Address:  70.32.65.137
localhost       nameserver = localhost
localhost       internet address = 127.0.0.1

nslookup -q=ns mediatemple.com ns1.mediatemple.net
Server:  ns1.mediatemple.net
Address:  64.207.128.246
mediatemple.com nameserver = ns2.mediatemple.net
mediatemple.com nameserver = ns1.mediatemple.net

nslookup -q=ns mediatemple.com ns2.mediatemple.net
Server:  ns2.mediatemple.net
Address:  70.32.65.137
mediatemple.com nameserver = ns2.mediatemple.net
mediatemple.com nameserver = ns1.mediatemple.net

Karely90 · May 20, 2022, 7:59pm

My domain provider told me yesterday that they have started a process to change the mediatemple domain. Do you think that when this change is over, this problem will be resolved?

MikeMcQ · May 20, 2022, 8:45pm

We can only hope. I have no special knowledge on what they plan to do.

But, yes, if you get the public DNS problem fixed you should be able to get certs again. I do not see anything wrong with your client's DNS lookup config. If that was broken your error would be much different. You resolved and connected to the Let's Encrypt server just fine. It just could not reach you back because of the public DNS problem (mediatemple).

Karely90 · May 27, 2022, 4:26pm

Hello everyone, the day before yesterday I finished the transfer of the domain, the DNS were added and that's it, I was able to renew the certificate, thank you all for your help

system · June 26, 2022, 4:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.