DNS problem: SERVFAIL looking up CAA for repo.cineca.it

My domain is: www.repo.cineca.it

I ran this command: certbot renew

It produced this output:
Attempting to renew cert (www.repo.cineca.it) from /etc/letsencrypt/renewal/www.repo.cineca.it.conf produced an unexpected error: Failed authorization procedure. www.repo.cineca.it (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for repo.cineca.it. Skipping.

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS 7

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Until the end of August I was able to renewthe certificate, but not now.
Please can you help me?
Have I to ask something to my system administrator?
Best regards. Giusy

repo.cineca.it.         252     IN      CNAME   dsetlab10.private.cineca.it.

repo.cineca.it. can’t be resolved, at least from the public Internet. By the name, I guess it’s something private that only works inside your organization?

You have a couple options:

  • Add a CAA record for www.repo.cineca.it. (E.g. 0 issue "letsencrypt.org".) Then Let’s Encrypt won’t care whether or not repo.cineca.it. works.

  • Make repo.cineca.it. resolve from the Internet. You can use a split horizon setup so it doesn’t have the same records as are used internally – or any records at all! – as long as it has a valid response.

thanks for the reply.
I forwarded your sugestion to my system administrators.
However, I don’t understand why I had been able to renew the certificate for more than one year (my last renew is of the end of August) and this problem is happened just now. Consider that nothing is changed in our DNS configuration from August to now.
So, do you know what is changed in these last months in let’s encript?
Thanks a lot.

This is probably because on 8 September CAA record checking became mandatory for all Certification Authorities. There are some regulations with regard to how to handle SERVFAIL errors - for example, if SERVFAIL was caused by DNSSEC validation error, CA is prohibited from issuing certificate at all. As it is hard to distinguish SERVFAIL caused by DNSSEC failures from SERVFAIL caused by other factors (and there are some controversies how to treat CAA SERVFAILs in general), Let’s Encrypt fails secure and returns error.

There are some details about CAA validation at https://letsencrypt.org/docs/caa/.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.