DNS problem: SERVFAIL looking up CAA for

So I’ve been up to my neck in the command line since Let’s Encrypt decided to change the system, not a criticism merely a state of my current mental fatigue relating to all this computer stuff!

I followed the instructions listed in the multiple stickies for a domain that does very little but has no issues so far getting new certificates. After following the instructions I now get this issue:

certbot --version || /path/to/certbot-auto --version certbot 0.28.0 sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cloud.donotspam.me.uk.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.donotspam.me.uk
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (cloud.donotspam.me.uk) from /etc/letsencrypt/renewal/cloud.donotspam.me.uk.conf produced an unexpected error: Failed authorization procedure. cloud.donotspam.me.uk (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for cloud.donotspam.me.uk. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.donotspam.me.uk/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.donotspam.me.uk/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: cloud.donotspam.me.uk
  Type: None
  Detail: DNS problem: SERVFAIL looking up CAA for
  cloud.donotspam.me.uk

Is cloud.donotspam.me.uk the actual hostname used? Because we need the exact hostname giving this error for any sensible and concrete answer.

I think… one of your backend nameservers is broken, returning REFUSED to queries – maybe always, maybe when the queries are sent with EDNS or something, maybe only for some query types – so DNS resolution sometimes fails.

If you try again, Let’s Encrypt might succeed.

But having unreliable DNS is a problem anyway – a medium or huge problem depending on exactly what’s happening – so you should fix it even if you can get Let’s Encrypt to succeed.

Successful:

https://unboundtest.com/m/CAA/cloud.donotspam.me.uk/KCDU4SZ2

Problematic:

https://ednscomp.isc.org/ednscomp/c9d2796066
https://ednscomp.isc.org/ednscomp/25643da2a1

It looks like the DNS service is using Cloudflare DNS Firewall, so there isn’t a one-to-one mapping between hostnames or IPs and actual backend servers. It will seemingly succeed or fail depending on what backend randomly gets the request.

Edit: REFUSED usually means the DNS server isn’t configured to serve that zone. But it could also be buggy, or using a buggy firewall.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.