DNS problem: SERVFAIL looking up CAA

Error Output:-

Challenge failed for domain helpdesk.fractel.net
http-01 challenge for helpdesk.fractel.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: helpdesk.fractel.net
    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for
    helpdesk.fractel.net - the domain's nameservers may be
    malfunctioning

But I’ve no idea why the certificate could not be generated.
Can you please help me to resolve the problem?

I don't see any problem, perhaps there was a temporary DNS issue, but I cannot find it.

Also, when I test your domain, I get an expected "validation challenge error". This means the Let's Encrypt validation server has succesfully checked the CAA record and found no issues with it. I've tested the order of CAA and challenge testing by trying to get a certificate for google.com, which is prohibited for Let's Encrypt by their CAA record. When trying to get a cert for google.com, I get the expected CAA refusal error.

Therefore, the Let's Encrypt validation server first checks the CAA record and then it follows up with the actual validation challenge. And as I'm getting a validation error and no CAA error when trying to get a cert for your domain, the CAA problem seems to have been resolved.

We are getting the below error for multiple domains. While creating the letsencrypt certificate.
Can you please let me know any outages on letencrypts side?

Domain: helpdesk.fractel.net
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for
helpdesk.fractel.net - the domain's nameservers may be
malfunctioning

Not that I know, nor can I confirm the errors, as said above. See also:

No issues found with the hostnames for CAA.

Also, my little experiment:

Expected CAA error before any validation has even been attempted:

server ~ # certbot certonly -d google.com --webroot -w /var/www/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for google.com
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "google.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
Please see the logfiles in /var/log/letsencrypt for more details.
server ~ # 

Validation error (expected, as I'm not authorized to get a cert for your hostname) when requesting a cert for your hostname, signaling CAA checking has succeeded:

server ~ # certbot certonly -d helpdesk.fractel.net --webroot -w /var/www/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for helpdesk.fractel.net
Performing the following challenges:
http-01 challenge for helpdesk.fractel.net
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain helpdesk.fractel.net
http-01 challenge for helpdesk.fractel.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: helpdesk.fractel.net
   Type:   unauthorized
   Detail: Invalid response from
   http://helpdesk.fractel.net/.well-known/acme-challenge/IRadxi6DoVQe6KH2k-9j_b_rKuthnc6q5tjj8jVh4GE
   [18.235.219.74]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
server ~ # 

So I'm not sure why you would get the CAA error whereas I don't get it?

Perhaps @lestaff can shed some light on this situation? Why would person A get a CAA error and why would person B not get such an error? Are the errors cached too?

1 Like

Osiris Thanks for the update

I am trying to create a san certificate ..while creating the certificate we are getting SERVFAIL looking up CAA for one domain and a few minutes later I am generating the certificate for the same set of domains getting SERVFAIL looking up CAA error for different domains. It doesn't look like a domain problem.

Are all domains a CNAME, such as the one mentioned in OP?:

;; ANSWER SECTION:
helpdesk.fractel.net.	0	IN	CNAME	elb16.freshdesk.com.

And if so, do they all point to the same FQDN?

Yes, correct
They all pointed to elb16.freshdesk.com

Perhaps just for testing purposes, could you perhaps test getting a certificate for just a single hostname (which should fail with the same error) and then add a CAA record for the hostname with contents:

0 issue "letsencrypt.org"

And test getting a certificate for just that hostname again and see if it fails too?

Please use the staging environment for these testing purposes.

1 Like

Hi @saravanan! I see from our logs you are trying to create a certificate with many hostnames on it. Can you tell us how many hostnames you're trying to put on each certificate?

Sometimes putting many hostnames on a certificate can lead to validation problems. In particular, when Let's Encrypt tries to validate such a certificate, it will send a lot of CAA queries to your DNS servers all at once. We've seen in the past that some DNS servers have rate limiting, DDoS protection, or firewalls in place that block us when we send a large number of queries all at once. Do your servers have something like that?

My main recommendation is to split up your request into many separate certificates - even one certificate per hostname is good. That way you have more control over when the hostnames are validated and can spread them out so our queries don't hit your DNS servers' rate limiting / anti-DDoS / firewall.

If splitting up your one big certificate request into multiple certificate requests isn't an option, I would recommend checking the settings on your DNS servers and any network appliances that sit between your DNS servers and the internet.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.