DNS problem: SERVFAIL looking up A


#1

Hi,

I am trying to generate a letsencrypt certificate for kronos.xdi.uevora.pt, and I am constantly getting the “DNS problem: SERVFAIL looking up A” error. All online DNS tools are able to resolve this name with no problems. I don’t understand what can be wrong.

The command that I run was:

sudo letsencrypt certonly -a webroot -w /var/www/letsencrypt -d kronos.xdi.uevora.pt

The complete output is:

Failed authorization procedure. kronos.xdi.uevora.pt (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for kronos.xdi.uevora.pt

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: kronos.xdi.uevora.pt
Type: connection
Detail: DNS problem: SERVFAIL looking up A for kronos.xdi.uevora.pt

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I am using Ubuntu 16.04 and running nginx shipped with GitLab.
Can anyone help with this problem? Thanks!


#2

There are issues with the DNS setup:

http://dnsviz.net/d/kronos.xdi.uevora.pt/dnssec/
http://dnssec-debugger.verisignlabs.com/kronos.xdi.uevora.pt

For me, some DNSSEC-validating resolvers (Google Public DNS) can handle it regardless, and some (every other one i tried) can’t.

Let’s Encrypt’s recursive DNS servers evidently fall into the “can’t” category.


#3

Or perhaps “won’t” :wink:

If security is your goal, it’s quite odd to ignore faults/errors in DNSSEC :stuck_out_tongue:


#4

HI,

Thank you all for your help. I am aware that we don’t have DNSSEC in this zone, but I never thought that could be a problem for Letsencrypt. I will get that problem solved and then try again


#5

Not having DNSSEC isn’t a problem. Having a broken or faulty DNSSEC could be the source of many problems :wink:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.