DNS problem: SERVFAIL looking up CAA

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.niwdedev.me

I ran this command:
sudo certbot -d www.niwdedev.me --manual --preferred-challenges dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letencrypt.log
Plugins selected: Authenticator manual, Installer None

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for www.niwdedev.me

Please deploy a DNS TXT record under the name _acme-challenge.www.niwdedev.me with the following value:
efG0lQ8k5l9Mm3cqUEhXfDxWnBCo_gL5q9aB_COjAfs
Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.niwdedev.me (dns-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for niwdedev.me

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.niwdedev.me
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for niwdedev.me

My web server is (include version): Alicloud ECS

The operating system my web server runs on is (include version): Ubuntu 16.04.6

My hosting provider, if applicable, is: Alicloud

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.22.2

your site’s DNS just failed. I just can’t connect to your site even by http.

Hi @niwde

there is a check of your domain, ~~4 hours old - https://check-your-website.server-daten.de/?q=niwdedev.me

The name servers are terrible red.

X Fatal error: Nameserver doesn't support TCP connection: ns7.alidns.com: Fatal error (0)
X Fatal error: Nameserver doesn't support TCP connection: ns7.alidns.com / 106.11.141.131: Refused
X Fatal error: Nameserver doesn't support TCP connection: ns7.alidns.com / 106.11.141.141: Refused
X Fatal error: Nameserver doesn't support TCP connection: ns7.alidns.com / 106.11.211.71: Refused

No TCP-connection possible, Refused.

Same with your CAA-Part:

Domainname flag Name Value ∑ Queries ∑ Timeout
www.niwdedev.me 0 no CAA entry found 1 0
niwdedev.me -5 Refused - The name server refuses to perform the specified operation for policy reasons 1 0
me 0 no CAA entry found 1 0

Looks like the domain doesn't work.

PS: Curious: Your non-www -> Refused. Your www works and has an ip address.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
niwdedev.me Refused yes 1 0
www.niwdedev.me A 47.88.225.244 Singapore//Singapore (SG) - Alibaba.com LLC No Hostname found yes 1 0
AAAA yes

If it is possible (but I don't think), try to create a CAA entry with your www domain name.

If such an entry exists, the non-www CAA isn't checked.

1 Like

Hi @JuergenAuer, thank you so much for your prompt reply!

Sorry that I am really new to this. (Trying to sort out this server which I just took over from my colleague who just quit)

Adding a CAA record

Type: CAA
Host: _____ .www.niwdedev.me
ISP Line: Default
Value: letsencrypty.org
TTL: 10mins

Can I check what I should be filling in for my Host?

The problem seems to be that the DNS zone is named "www.niwdedev.me" instead of "niwdedev.me". So, for example, http://niwdedev.me/ doesn't resolve because the DNS servers don't think it exists. On the other hand, you created an A record named www in the zone, so http://www.www.niwdedev.me/ does currently exist!

You have to fix it by renaming the zone from "www.niwdedev.me" to "niwdedev.me" in the DNS control panel, if that's possible. If it's not possible, you might have to create a new zone named "niwdedev.me" and copy your records over, and you might have to delete the old one.

For Let's Encrypt, you can work around the problem by creating the CAA record mentioned.

That should be letsencrypt.org -- you added a second y.

The end result is that the record needs to be named www.niwdedev.me. Do you know what you need to enter to produce that? You probably have to leave the host field blank, or write @ or something.

2 Likes

You guys are awesome for replying this fast!

@mnordhoff noted, I will need to check on that record after I get this site authenticated. And kudos for spotting my typo haha.

However, I’m not sure what I’m doing wrong with trying to add the CAA record:

47%20AM

I will check with AliCloud on this CAA record issue and get back! Ty guys!

Do they have any documentation showing how to enter a CAA record?

Don’t set the hsot to “www”. Try leaving it blank or using “@”.

Try setting the value to this:

0 issue "letsencrypt.org"

Instead of just letsencrypt.org.

2 Likes

@JuergenAuer @mnordhoff

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.niwdedev.me/fullchain.pem

Thank you guys so much, I got it authenticated now!

@mnordhoff Thank you so much! That allowed me to set the CAA record in AliCloud and authenticate the challenge.

Really appreciate the prompt response and help in this community!! :smile:

2 Likes

That’s great! :smile:

I didn’t explain anything, but a CAA record consists of three fields: Currently, the first one can be 0 or 128; the second one can be iodef, issue or issuewild, and the third one contains the CA or (for iodef records) your contact information.

0 issue "letsencrypt.org"’ is the standardized way to represent the CAA record in text, but different DNS interfaces make people enter data in different ways. For example, some might have three separate boxes. If it’s not documented, it can take some guesswork to figure out exactly what’s needed. :slightly_frowning_face:

You should still fix the issue – the name of the zone – that caused this, though. It might cause other problems for you in the future, unrelated to Let’s Encrypt.

2 Likes

Roger that! That would explain some of the other issues i’m facing… :sweat_smile:

And thank you so much again!!!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.