DNS problem: SERVFAIL looking up CAA for townsville.nl

mtempels · January 26, 2017, 11:32pm

Please fill out the fields below so we can help you better.

I ran this command: certbot-auto renew --dry-run

It produced this output:

Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/townsville.nl.conf produced an unexpected error: Failed authorization procedure. www.townsville.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for www.townsville.nl, townsville.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for townsville.nl, burgerz.townsville.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for burgerz.townsville.nl, webmail.townsville.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for webmail.townsville.nl. Skipping.

My operating system is (include version): Linux, Ubuntu 14.04.05LTS

My web server is (include version):
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 15 2016 15:34:04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Nope

Installing the certificate for this domain worked like a charm… just ran the certbot-auto command, selected the vhosts i wanted and presto SSL on my sites! Cool!

then i tried the renew command from this page https://certbot.eff.org/#ubuntutrusty-apache ./path/to/certbot-auto renew --dry-run and that resulted in the CAA error… the strange thing is that if I do a dig on my domain with CAA it gives:

root@masuka:~# dig townsville.nl caa

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> townsville.nl caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25407
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;townsville.nl.			IN	A

;; ANSWER SECTION:
townsville.nl.		600	IN	A	212.79.251.20

;; Query time: 4 msec
;; SERVER: 212.79.255.18#53(212.79.255.18)
;; WHEN: Fri Jan 27 00:30:49 CET 2017
;; MSG SIZE  rcvd: 47

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57471
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;caa.				IN	A

;; AUTHORITY SECTION:
.			2648	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017012601 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 212.79.255.18#53(212.79.255.18)
;; WHEN: Fri Jan 27 00:30:49 CET 2017
;; MSG SIZE  rcvd: 96

So no SERVFAIL… I’ve read some of the other comments on the forum but none seem similar to my problem since a dig command on my domain does not yield the error from the renew command…

Help?

Cheers
Matthijs

mnordhoff · January 27, 2017, 12:09am

dig did not do what you think: It looked up the A record for townsville.nl. and then tried to look up the A record for caa.. I guess your version of dig is too old to support the CAA record type, but dig can look up arbitrary unsupported record types.

CAA is record type 257, so you do it like this:

dig townsville.nl type257
dig burgerz.townsville.nl type257
dig webmail.townsville.nl type257

It really does SERVFAIL:

$ dig townsville.nl type257

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> townsville.nl type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28656
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;townsville.nl.                     IN      TYPE257

;; Query time: 914 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 27 00:00:05 UTC 2017
;; MSG SIZE  rcvd: 42

If your DNS server worked correctly, and there was no CAA record, it would look something like this:

$ dig letsencrypt.org type257

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> letsencrypt.org type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64274
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;letsencrypt.org.           IN      TYPE257

;; AUTHORITY SECTION:
letsencrypt.org.    1799    IN      SOA     a20-66.akam.net. hostmaster.akamai.com. 1479493289 43200 7200 604800 7200

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 27 00:01:27 UTC 2017
;; MSG SIZE  rcvd: 116

If it worked, and there was a CAA record, an old version of dig would display it in an unreadable encoded format, but at least you’d know it existed:

$ dig google.com type257

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> google.com type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9679
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                        IN      TYPE257

;; ANSWER SECTION:
google.com.         86399   IN      TYPE257 \# 19 0005697373756573796D616E7465632E636F6D

;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 26 23:58:53 UTC 2017
;; MSG SIZE  rcvd: 70

A newer version of dig would, of course, display it in the standard representation:

$ dig google.com caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11077
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      CAA

;; ANSWER SECTION:
google.com.             86399   IN      CAA     0 issue "symantec.com"

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jan 27 00:06:14 UTC 2017
;; MSG SIZE  rcvd: 70

Let’s Encrypt does not require you to have a CAA record, but your DNS servers are required to give a valid response: Either one or more CAA records, or a proper “I don’t have any such records” response.

You need to talk to your DNS provider about upgrading to standards compliant software, or switch to another one.

system · February 26, 2017, 12:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.