DNS problem: SERVFAIL looking up CAA

My domain is: clientportal.davistaxservices.net

I ran this command: cert renew through ruby acme client

It produced this output: Acme::Client::Error::Caa (Error finalizing order :: While processing CAA for clientportal.davistaxservices.net.
DNS problem: SERVFAIL looking up CAA for clientportal.davistaxservices.net - the domain's nameservers may be malfunctioning)

I'm trying to renew the certificate for portal.tech.cpa which includes a bunch of aliases. One of them is clientportal.davistaxservices.net which can't pass CAA verification.

Hmm. I'm not seeing a SERVFAIL problem with the usual tools:

https://unboundtest.com/m/CAA/clientportal.davistaxservices.net/BIXR2D7F

https://dnsviz.net/d/clientportal.davistaxservices.net/dnssec/?rr=257&a=all&ds=all&ta=.&tk=

Did you just get the error once, or have you tried multiple times?

Have you recently changed DNS service providers, for either davistaxservices.net or the taxdome.com that is being CNAME'd to?

2 Likes

clientportal.davistaxservices.net is a white label of taxdome.com client. I have been seeing the problem since 21 JAN, it blocks the renewing of the certificate for a long time. I have no access to the client dns. DNS for taxdome.com didn't change as well.

For instance:

2022-01-26T08:37:52 
Acme::Client::Error::Caa: Error finalizing order :: While processing CAA for clientportal.davistaxservices.net: DNS problem: SERVFAIL looking up CAA for clientportal.davistaxservices.net - the domain's nameservers may be malfunctioning
2022-01-26T07:05:15 Acme::Client::Error::Caa: Error finalizing order 
While processing CAA for www.lemecgroupadvisors.com: 
DNS problem: SERVFAIL looking up CAA for www.lemecgroupadvisors.com - 
the domain's nameservers may be malfunctioning
2022-01-22T19:52:22 Acme::Client::Error::Caa: Error finalizing order 
While processing CAA for www.prospecttaxes.com: 
DNS problem: SERVFAIL looking up CAA for prospecttaxes.com - 
the domain's nameservers may be malfunctioning
2022-01-21T01:20:20 Acme::Client::Error::Caa: Error finalizing order 
While processing CAA for portal.georgecpafirm.com: DNS problem: 
SERVFAIL looking up CAA for georgecpafirm.com - 
the domain's nameservers may be malfunctioning

The clientportal.davistaxservices.net is client's white label, I have no access to DNS and nothing changed. The taxdome.com dns wasn't changed too.

I have seeing the problem since 21 JAN, it blocks the renewing certificate.

2 Likes

It seems that issue was solved without any action. I don't know why.

1 Like

Hmm. I've been testing every way I could find, and I couldn't get a SERVFAIL no matter what I did. So it must have been fixed before I started poking around at it. Usually a SERVFAIL is due to the server not handling DNSSEC correctly, but it doesn't look like either domain is DNSSEC-signed, so I don't think that's it. Perhaps someone who handles your DNS fixed something? But everything looks fine now, so I'm not sure what else to suggest.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.