I tried to create a new cert for this domain with this command:
./letsencrypt-auto certonly -d www.imolaenergy.hu --manual --test-cert --dry-run
The process fails and this point:
Failed authorization procedure. www.imolaenergy.hu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu
No CAA record available (but it is ok), but the status is NOERROR, not SERVFAIL.
Then I tried with all of the authenticate servers: dig @ns1.domdom.huwww.imolaenergy.hu -t type257
How could I reproduce the error manually? I’m trying to solve my possible DNS problem, and communicate it with my dns hosting company, but as far as I can check it, there is no problem with it.
This may (or may not) related to this ticket, as this is the same domain provider - domdom.hu: link
You should always test it quering directly to your DNS servers. For your domain imolaenergy.hu are ns1.domdom.hu, ns2.domdom.hu and ns3.domdom.hu.
dig @ns1.domdom.hu www.imolaenergy.hu -t TYPE257
Anyway, I've tested it from 5 countries (USA, Spain, UK, France and Germany) and I see no problem at all on your DNS servers, all of them always answer with NOERROR to CAA record queries so it is fine.
Did you try to get your test cert today?.
@cpu, could you please be so kind to take a look into this issue just in case you have more info on your side?.
Thanks for looking up on my issue.
I also tested it with my own DNS server, without any problem (also stated this on my original post)
Tried to get the test cert today again, but got the same SERVFAIL error from LE.
@MitchellK: I know that my zone misses the CAA record, but a missing CAA record is not a problem as I read it before, only SERVFAILs on CAA request. So a NOERROR without an answer should be accepted.
Sorry misread your first post. Are you running the latest certbot? I see you are using letsencrypt-auto, what version? I’ve never seen certificate issuance fail because of a missing CAA record, only misconfigured A records ???
@Myke79, that is correct, there is no need to have a CAA record defined and the NOERROR you receive is fine to Let's Encrypt, let's see if @cpu can give any clue to this issue.
imolaenergy.hu/DNSKEY: The server appeared to understand EDNS by including RRSIG records, but its response included no OPT record. (195.70.36.104, 195.70.58.241, UDP_0_EDNS0_32768_512)
imolaenergy.hu/DNSKEY: The server responded with no OPT record, rather than with RCODE FORMERR. (195.70.48.49, UDP_0_EDNS0_32768_512)
I just forwarded these warnings to my dns hosting company, maybe they could fix them.
Can anyone confirm that this is the reason for why I’m still getting SERVFAIL on cert requests?
I tried again today, still without any luck:
Failed authorization procedure. www.imolaenergy.hu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu
Some good news!
My DNS provider turned off the DNSSEC altogether on my domain, and now the test-cert dry run was successful.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits), not saving to file
Creating CSR: not saving to file
IMPORTANT NOTES:
The dry run was successful.
So it looks like, that the letsencrypt doesn’t tolerate any dnssec warnings, and simply throw me a SERVFAIL, which I cannot reproduce with calling dig with any parameter.
Now the only thing remains is to made letsencrpyt and the dnssec working together, so I dont have to choose between them
Thanks @MitchellK to pointing me in the right direction!
So glad you found the problem DNS is a big problem and the root of most people’s problems and sadly a lot of organizations do not properly understand DNS least of all DNSSEC.
Unfortunately when it comes to DNSSEC it is very poorly implemented by many and not ever tested and the tiniest DNSSEC error can, as you have experienced, throw all sorts of other problems at you.
If you ever decide to use DNSSEC again you have to test thoroughly to make sure all record signing is done properly and that the root DNS has your correct DS records, otherwise simply stay away from DNSSEC for now