DNS problem: SERVFAIL looking up CAA

My domain is: wageindicator.org

I ran this command:

certbot certonly --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d www.euroccupations.org -d www.wageindex.eu -d www.wageindicator.org -d www.workindicators.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/wageindicator.org.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for euroccupations.org
http-01 challenge for wageindex.eu
http-01 challenge for wageindicator.org
http-01 challenge for workindicators.com
http-01 challenge for www.euroccupations.org
http-01 challenge for www.wageindex.eu
http-01 challenge for www.wageindicator.org
http-01 challenge for www.workindicators.com
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. wageindicator.org (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for wageindicator.org - the domain's nameservers may be malfunctioning, www.wageindicator.org (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for wageindicator.org - the domain's nameservers may be malfunctioning

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: wageindicator.org
   Type:   None
   Detail: DNS problem: SERVFAIL looking up CAA for wageindicator.org
   - the domain's nameservers may be malfunctioning

   Domain: www.wageindicator.org
   Type:   None
   Detail: DNS problem: SERVFAIL looking up CAA for wageindicator.org
   - the domain's nameservers may be malfunctioning
root@ciney:/etc/letsencrypt/renewal# certbot certonly --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d  www.euroccupations.org -d www.wageindex.eu -d www.workindicators.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate wageindicator.org to include new domain(s):
(None)

You are also removing previously included domain(s):
- www.wageindicator.org

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wageindicator.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: systemctl reload nginx

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wageindicator.org.conf/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wageindicator.org.conf/privkey.pem
   Your cert will expire on 2021-12-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: VPS uses linode.com (hostname ciney.wageindicator.org), DNS is managed at openprovider.eu

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): n/a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

When I run the certbot command without www.wageindicator.org the certificates get renewed:

certbot certonly --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d  www.euroccupations.org -d www.wageindex.eu -d www.workindicators.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate wageindicator.org to include new domain(s):
(None)

You are also removing previously included domain(s):
- www.wageindicator.org

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wageindicator.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: systemctl reload nginx

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wageindicator.org.conf/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wageindicator.org.conf/privkey.pem
   Your cert will expire on 2021-12-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I did try to search for this problem related to DNS CAA and have read this doc Certificate Authority Authorization (CAA) - Let's Encrypt. We don't have CAA enable for wageindicator.org. I tried debugging this error using several site which analyze DNS records, and run several dig command but could not find what exactly is wrong.

Several sites I've use to find out what is wrong:
https://unboundtest.com/m/CAA/wageindicator.org/ZU7U2L2K
https://dnssec-debugger.verisignlabs.com/www.wageindicator.org
https://dnsviz.net/d/wageindicator.org/dnssec/

Dig commands I've used:

➜  ~ dig DNSKEY wageindicator.org

; <<>> DiG 9.10.6 <<>> DNSKEY wageindicator.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;wageindicator.org.		IN	DNSKEY

;; AUTHORITY SECTION:
wageindicator.org.	1800	IN	SOA	ns1.openprovider.nl. dns.openprovider.eu. 2021082402 10800 3600 604800 3600

;; Query time: 189 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Sep 15 10:51:35 CEST 2021
;; MSG SIZE  rcvd: 120
➜  ~ dig +dnssec www.wageindicator.org

; <<>> DiG 9.10.6 <<>> +dnssec www.wageindicator.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51140
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.wageindicator.org.		IN	A

;; ANSWER SECTION:
www.wageindicator.org.	21600	IN	A	139.162.181.223

;; Query time: 41 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Sep 15 10:51:06 CEST 2021
;; MSG SIZE  rcvd: 66

What's wrong is that you don't have any CAA records for wageindicator.org.
You need to publish CAA records to the DNS and try again. Something like this should be OK:

@ IN      CAA     128 issue "letsencrypt.org"
  IN      CAA     128 issuewild ";"
  IN      CAA     128 iodef "mailto:hostmaster@wageindicator.org"

But don't trust that. Refer to the documentation that you mention above
so that you understand what these records mean.

Also note that there are no CAA records for any of the other domains either.
They will all need CAA records for LetsEncrypt to work.

You can either publish CAA records for every individual domain (with
and without "www.") or you can publish them for the base domains (without
"www.") but exclude the record that mentions issuewild.

Please note that CAA records are NOT MANDATORY for Let's Encrypt to work! A valid DNS result signaling the non-existance of a CAA record is also fine.

However, an invalid DNS result when querying for a CAA record is NOT fine.

That said, I have no idea where the error from the Let's Encrypt validation server comes from. If we check Unboundtest, we see a perfectly fine "NOERROR" result https://unboundtest.com/m/CAA/wageindicator.org/7CWYBMGC which should allow issuance.

1 Like

Thanks for the correction.

It does seem odd that that references to DNSSEC are made above when wageindicator.org is not DNSSEC-enabled (no DNSKEY or DS records). But I suppose that shouldn't matter.

2 Likes

It seems like a quirk (maybe at my DNS provider?), when I tried requested the certs again it worked. This time with www.wageindicator.org domain included (when included last time returned the DNS CAA error).

certbot certonly -vvvv --webroot -w /var/www/acme-challenge/ --cert-name wageindicator.org -d wageindicator.org -d www.wageindicator.org -d euroccupations.org -d wageindex.eu -d workindicators.com -d www.euroccupations.org -d www.wageindex.eu -d www.wageindicator.org -d www.workindicators.com

Not posting the complete output due to increades verbosity (-vvvv).

1 Like

Spurious DNS lookup errors are AFAIK a known issue, but mostly I remember it being at peek hours and just with the secondary validation sites. Not really your situation.

That said, DNS can be tricky and sometimes seems to be having "hickups" without really knowing why or on whose side the problem really lies. Trying again after some time sometimes "fixes" the issue..

At least you got the correct cert now :slight_smile:

2 Likes