DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu


#1

Hi there,

I tried to create a new cert for this domain with this command:
./letsencrypt-auto certonly -d www.imolaenergy.hu --manual --test-cert --dry-run

The process fails and this point:
Failed authorization procedure. www.imolaenergy.hu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu

I tried myself to dig it:
dig @8.8.8.8 www.imolaenergy.hu -t type257

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

No CAA record available (but it is ok), but the status is NOERROR, not SERVFAIL.
Then I tried with all of the authenticate servers:
dig @ns1.domdom.hu www.imolaenergy.hu -t type257

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28921
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

How could I reproduce the error manually? I’m trying to solve my possible DNS problem, and communicate it with my dns hosting company, but as far as I can check it, there is no problem with it.

This may (or may not) related to this ticket, as this is the same domain provider - domdom.hu: link

Thanks for any help,

Best regards,
Myke


#2

The problem still persist, anyone have an idea how should I reproduce the SERVFAIL request, which the LE throw me?


#3

Hi @Myke79,

You should always test it quering directly to your DNS servers. For your domain imolaenergy.hu are ns1.domdom.hu, ns2.domdom.hu and ns3.domdom.hu.

dig @ns1.domdom.hu www.imolaenergy.hu -t TYPE257

Anyway, I’ve tested it from 5 countries (USA, Spain, UK, France and Germany) and I see no problem at all on your DNS servers, all of them always answer with NOERROR to CAA record queries so it is fine.

Did you try to get your test cert today?.

@cpu, could you please be so kind to take a look into this issue just in case you have more info on your side?.

Cheers,
sahsanu


#4

Your CAA record is either not correctly configured or your DNS is messed up

See for yourself
dig @ns1.domdom.hu. imolaenergy.hu -t type257 (gives no answer for 257)

; <<>> DiG 9.8.3-P1 <<>> @ns1.domdom.hu. imolaenergy.hu -t type257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13665
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;imolaenergy.hu.			IN	TYPE257

;; AUTHORITY SECTION:
imolaenergy.hu.		3600	IN	SOA	ns1.domdom.hu. postmaster.domdom.hu. 2016032202 86400 7200 3600000 3600

same with
dig @8.8.8.8 imolaenergy.hu -t type257

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 imolaenergy.hu -t type257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;imolaenergy.hu.			IN	TYPE257

;; AUTHORITY SECTION:
imolaenergy.hu.		1799	IN	SOA	ns1.domdom.hu. postmaster.domdom.hu. 2016032202 86400 7200 3600000 3600

;; Query time: 287 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 27 13:31:55 2017
;; MSG SIZE  rcvd: 90

This it how it should look when it responds with your CAA record

dig @8.8.8.8 mitchellkrog.com -t type257 (look at the ANSWER section)

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 mitchellkrog.com -t type257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4877
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mitchellkrog.com.		IN	TYPE257

;; ANSWER SECTION:
mitchellkrog.com.	3599	IN	TYPE257	\# 22 000569737375656C657473656E63727970742E6F7267

;; Query time: 431 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 27 13:32:38 2017
;; MSG SIZE  rcvd: 68

Your CAA record in your DNS should be setup as follows

@ IN CAA 0 issue "letsencrypt.org"


#5

Hi Sahsanu, MitchellK

Thanks for looking up on my issue.
I also tested it with my own DNS server, without any problem (also stated this on my original post)
Tried to get the test cert today again, but got the same SERVFAIL error from LE.

@MitchellK: I know that my zone misses the CAA record, but a missing CAA record is not a problem as I read it before, only SERVFAILs on CAA request. So a NOERROR without an answer should be accepted.


#6

Sorry misread your first post. Are you running the latest certbot? I see you are using letsencrypt-auto, what version? I’ve never seen certificate issuance fail because of a missing CAA record, only misconfigured A records ???


#7

@Myke79, that is correct, there is no need to have a CAA record defined and the NOERROR you receive is fine to Let’s Encrypt, let’s see if @cpu can give any clue to this issue.


#8

Misread original post, my bad.


#9

This is what I’m using now. I think it is self-updated recently.

letsencrypt-auto --version
certbot 0.13.0


#10

Yip same version as me, latest so really unsure why you are getting this error.


#11

Normal nslookup works fine ??? this is very weird.

nslookup www.imolaenergy.hu
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	www.imolaenergy.hu
Address: 84.21.7.22

and all dig tests seem fine too

dig www.imolaenergy.hu A +short
84.21.7.22

dig imolaenergy.hu A +short
84.21.7.22

DNS problem: query timed out looking up CAA (using Netregistry)
DNS problem: SERVFAIL looking up CAA
#12

Also not sure if this may be causing a problem but you have some warnings on your DNSSEC tests.

http://dnsviz.net/d/imolaenergy.hu/dnssec/

imolaenergy.hu/DNSKEY: The server appeared to understand EDNS by including RRSIG records, but its response included no OPT record. (195.70.36.104, 195.70.58.241, UDP_0_EDNS0_32768_512)

imolaenergy.hu/DNSKEY: The server responded with no OPT record, rather than with RCODE FORMERR. (195.70.48.49, UDP_0_EDNS0_32768_512)


#13

I just forwarded these warnings to my dns hosting company, maybe they could fix them.
Can anyone confirm that this is the reason for why I’m still getting SERVFAIL on cert requests?
I tried again today, still without any luck:

Failed authorization procedure. www.imolaenergy.hu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu

IMPORTANT NOTES:

But all manual CAA request with dig looks ok for me, with NOERROR.


#14

Some good news!
My DNS provider turned off the DNSSEC altogether on my domain, and now the test-cert dry run was successful.

Waiting for verification…
Cleaning up challenges
Generating key (2048 bits), not saving to file
Creating CSR: not saving to file

IMPORTANT NOTES:

  • The dry run was successful.

So it looks like, that the letsencrypt doesn’t tolerate any dnssec warnings, and simply throw me a SERVFAIL, which I cannot reproduce with calling dig with any parameter.

Now the only thing remains is to made letsencrpyt and the dnssec working together, so I dont have to choose between them :slight_smile:

Thanks @MitchellK to pointing me in the right direction!


#15

So glad you found the problem :thumbsup: DNS is a big problem and the root of most people’s problems and sadly a lot of organizations do not properly understand DNS least of all DNSSEC.

Unfortunately when it comes to DNSSEC it is very poorly implemented by many and not ever tested and the tiniest DNSSEC error can, as you have experienced, throw all sorts of other problems at you.

If you ever decide to use DNSSEC again you have to test thoroughly to make sure all record signing is done properly and that the root DNS has your correct DS records, otherwise simply stay away from DNSSEC for now :slight_smile:


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.