DNS problem: SERVFAIL looking up CAA

edejin · April 19, 2022, 1:14pm

Good afternoon!

I saw hundreds topics with issue like this. But I can not find solution.

My domain is: dej.in.ua
dig dnsviz

It produced this output:

2022-04-19 12:39:02,634:DEBUG:certbot.main:certbot version: 0.40.0
2022-04-19 12:39:02,634:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--cert-name', 'dej.in.ua', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', 'webmaster@dej.in.ua', '--webroot-map', '{"dej.in.ua":"\\/usr\\/local\\/ispconfig\\/interface\\/acme"}']
2022-04-19 12:39:02,634:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-19 12:39:02,642:DEBUG:certbot.log:Root logging level set at 20
2022-04-19 12:39:02,643:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-04-19 12:39:02,644:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2022-04-19 12:39:02,644:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7ff3a8d11e50>
Prep: True
2022-04-19 12:39:02,645:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7ff3a8d11e50> and installer None
2022-04-19 12:39:02,645:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-04-19 12:39:02,648:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/76667584', new_authzr_uri=None, terms_of_service=None), 59d182ffd014c59cfb9e80ab52a35f76, Meta(creation_dt=datetime.datetime(2020, 1, 26, 9, 35, 25, tzinfo=<UTC>), creation_host='do4.dej.in.ua'))>
2022-04-19 12:39:02,650:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-04-19 12:39:02,652:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-04-19 12:39:03,029:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-04-19 12:39:03,030:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Apr 2022 12:39:02 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "c6AkQhBTtlI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-04-19 12:39:03,031:INFO:certbot.main:Obtaining a new certificate
2022-04-19 12:39:03,233:DEBUG:certbot.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0358_key-certbot.pem
2022-04-19 12:39:03,246:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0358_csr-certbot.pem
2022-04-19 12:39:03,247:DEBUG:acme.client:Requesting fresh nonce
2022-04-19 12:39:03,247:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-04-19 12:39:03,366:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-04-19 12:39:03,366:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Apr 2022 12:39:03 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101SSx5OXffutUNWfdjyOOLTSplueAG5dPpAKFvHvpYI5o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-04-19 12:39:03,367:DEBUG:acme.client:Storing nonce: 0101SSx5OXffutUNWfdjyOOLTSplueAG5dPpAKFvHvpYI5o
2022-04-19 12:39:03,367:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "dej.in.ua"\n    }\n  ]\n}'
2022-04-19 12:39:03,369:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzY2Njc1ODQiLCAibm9uY2UiOiAiMDEwMVNTeDVPWGZmdXRVTldmZGp5T09MVFNwbHVlQUc1ZFBwQUtGdkh2cFlJNW8iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "OeXjVIYqYX2fshW6LfI3OzknjQVQl2mH2UoqkBfP3F_Q3l7caYguoaq2qGyLMmz3fxMcRAfLeF75aMrFdLU-3l4OJU-ppyaVYehosTyaOTMdrvrBYb3UuV6uOUshFjIfFrn5pKCDGtTbiT8CC8nBVz9xP6QgtzPLBOEiSCDWCh2pWj_MM4crk2AYwHNaJaz7GETzlAU9poVE_jsodcogyUK2Eq6BLB1W23nu4fOLroKKqKRpa1FaBJyybWE4jx1iq888vZ-gtOsvVNusQhTQ-oQCgfRINHVwS7cJtc6VOwilroWgMdW6HHMAXvAPhJESacvOrtecgO5zs_Po6D_aAA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImRlai5pbi51YSIKICAgIH0KICBdCn0"
}
2022-04-19 12:39:03,745:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 331
2022-04-19 12:39:03,746:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 19 Apr 2022 12:39:03 GMT
Content-Type: application/json
Content-Length: 331
Connection: keep-alive
Boulder-Requester: 76667584
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/76667584/81489209550
Replay-Nonce: 0102ub0F_bZy5ouDcT2wELxoykVD2s-d4lYSRVAoBWdix7c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-04-26T12:39:03Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "dej.in.ua"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/99886435520"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/76667584/81489209550"
}
2022-04-19 12:39:03,746:DEBUG:acme.client:Storing nonce: 0102ub0F_bZy5ouDcT2wELxoykVD2s-d4lYSRVAoBWdix7c
2022-04-19 12:39:03,747:DEBUG:acme.client:JWS payload:
b''
2022-04-19 12:39:03,748:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/99886435520:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzY2Njc1ODQiLCAibm9uY2UiOiAiMDEwMnViMEZfYlp5NW91RGNUMndFTHhveWtWRDJzLWQ0bFlTUlZBb0JXZGl4N2MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzk5ODg2NDM1NTIwIn0",
  "signature": "VacH0nJpy4K3FsWJmMXFYWclxLieJ65MMxch2sulypctM7YE7_Hi2CLdAep7apeIz3QKiXWGIjxY4MDfOcUvldVGY9uWkFp-EyknivRGE6GnHvUEDIL1coMSQvy237B_oINpqnI4oqzf-L2LZRCEMT1EWOFZd-Khjl96qRS4_jPdCXr1XUK_vhq9fqXWJyGuwWfck1jnluF36vixEjlxO8zYuv-RTjrWdpPYTjJNlm1_0HuYNUnrZJRAumY6Z9KGgNExgmvnTsevtRJIXwM7SLG_nDNghVWPDjKqVCxwes9EGuIjLo7L7yfeXNBnKss2AmfJkgDWBfH-XSCHz3VZcw",
  "payload": ""
}
2022-04-19 12:39:03,899:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/99886435520 HTTP/1.1" 200 790
2022-04-19 12:39:03,900:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Apr 2022 12:39:03 GMT
Content-Type: application/json
Content-Length: 790
Connection: keep-alive
Boulder-Requester: 76667584
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102NiiKEr_4bcvG5TFcJlv0CblHl5T1KOPv89c0VtFedS8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dej.in.ua"
  },
  "status": "pending",
  "expires": "2022-04-26T12:39:03Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/oL18jQ",
      "token": "9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/5QEhQA",
      "token": "9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/TpoWlA",
      "token": "9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk"
    }
  ]
}
2022-04-19 12:39:03,901:DEBUG:acme.client:Storing nonce: 0102NiiKEr_4bcvG5TFcJlv0CblHl5T1KOPv89c0VtFedS8
2022-04-19 12:39:03,901:INFO:certbot.auth_handler:Performing the following challenges:
2022-04-19 12:39:03,902:INFO:certbot.auth_handler:http-01 challenge for dej.in.ua
2022-04-19 12:39:03,902:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
2022-04-19 12:39:03,906:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk
2022-04-19 12:39:03,906:INFO:certbot.auth_handler:Waiting for verification...
2022-04-19 12:39:03,907:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
2022-04-19 12:39:03,909:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/oL18jQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzY2Njc1ODQiLCAibm9uY2UiOiAiMDEwMk5paUtFcl80YmN2RzVURmNKbHYwQ2JsSGw1VDFLT1B2ODljMFZ0RmVkUzgiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzk5ODg2NDM1NTIwL29MMThqUSJ9",
  "signature": "tY_DOtAUmy3h8vo2J4vHab8nwKiukxvJeM_OdRgYR8qYBIdUCk8SuphopkAc5g9HknTUPVIMHLGYDwby-BQ_Hpt031t6pOmMvQl0ylJeXVDk9vFMazG_ABRrqb1MtA4M5qJ9FG3zmTRd-_9oXNC9BMd0DF9N86og7IHdFWU4QXgfRTjtht7vYiuE7oHwTUQOnvfwid9Wif4IZJdnlYxxu0xJhN0N93IDgJLBBSNfhwyKoyN48x26O5MWaqvD5kE-QSMuvXqrKOAIZUPN2gvTz9m7mojdNAF-ZqC-KbfIudy3al_RGEHef5IGMtSlvn3pgwPiq_TB0d8m_Z1ZJ8Kbeg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2022-04-19 12:39:04,055:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/99886435520/oL18jQ HTTP/1.1" 200 186
2022-04-19 12:39:04,056:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Apr 2022 12:39:04 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 76667584
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/99886435520>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/oL18jQ
Replay-Nonce: 0102dyda50Q2rUqxGwSzz6ksoPQiKLPxHqQcoAi24Tc42kc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/oL18jQ",
  "token": "9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk"
}
2022-04-19 12:39:04,057:DEBUG:acme.client:Storing nonce: 0102dyda50Q2rUqxGwSzz6ksoPQiKLPxHqQcoAi24Tc42kc
2022-04-19 12:39:05,058:DEBUG:acme.client:JWS payload:
b''
2022-04-19 12:39:05,060:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/99886435520:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzY2Njc1ODQiLCAibm9uY2UiOiAiMDEwMmR5ZGE1MFEyclVxeEd3U3p6Nmtzb1BRaUtMUHhIcVFjb0FpMjRUYzQya2MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzk5ODg2NDM1NTIwIn0",
  "signature": "bgG7iODPAsuBcG3OzkTrm9VUhsyx_ph2RljELmvXkPkd-o5O5bHUSIRbESc8ovkCrO2NJDEyUnT8v_13vrSG-4usCyVcEtJ1vQ94CPSTPk64lJxkAbhkWBioREp6boaUv23TvjfuTrGe-v1-RnJ2E5zaDnBc2N9RyJJJttitz2RAvpAmAqiTTDou--cmAsdN3yEpnofqVzGTSoi9FfUwFMIgxdrzT3J00BbFW9hoyZ6IxfAN_At1bfnvZ1BLbkyrUAl0n3UXls41BClx8_AvUTh56XlacNn6J53dgJuz1Odu1uPgLY2yke03BBeLPOqvxR_CwMirYscJkqjmBKcLkA",
  "payload": ""
}
2022-04-19 12:39:05,194:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/99886435520 HTTP/1.1" 200 980
2022-04-19 12:39:05,195:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 19 Apr 2022 12:39:05 GMT
Content-Type: application/json
Content-Length: 980
Connection: keep-alive
Boulder-Requester: 76667584
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102jPgzlB0cQcPPBDY8CPrpNhoFCwIJSQ77MhwbqFbr2jA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "dej.in.ua"
  },
  "status": "invalid",
  "expires": "2022-04-26T12:39:03Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: SERVFAIL looking up CAA for dej.in.ua - the domain's nameservers may be malfunctioning",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99886435520/oL18jQ",
      "token": "9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk",
      "validationRecord": [
        {
          "url": "http://dej.in.ua/.well-known/acme-challenge/9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk",
          "hostname": "dej.in.ua",
          "port": "80",
          "addressesResolved": [
            "2a03:b0c0:1:e0::5a6:1"
          ],
          "addressUsed": "2a03:b0c0:1:e0::5a6:1"
        }
      ],
      "validated": "2022-04-19T12:39:03Z"
    }
  ]
}
2022-04-19 12:39:05,195:DEBUG:acme.client:Storing nonce: 0102jPgzlB0cQcPPBDY8CPrpNhoFCwIJSQ77MhwbqFbr2jA
2022-04-19 12:39:05,196:WARNING:certbot.auth_handler:Challenge failed for domain dej.in.ua
2022-04-19 12:39:05,196:INFO:certbot.auth_handler:http-01 challenge for dej.in.ua
2022-04-19 12:39:05,197:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: dej.in.ua
Type:   dns
Detail: DNS problem: SERVFAIL looking up CAA for dej.in.ua - the domain's nameservers may be malfunctioning
2022-04-19 12:39:05,197:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-19 12:39:05,198:DEBUG:certbot.error_handler:Calling registered functions
2022-04-19 12:39:05,198:INFO:certbot.auth_handler:Cleaning up challenges
2022-04-19 12:39:05,198:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/9ck2nX4AmzBHLp5Yas_fDg-a9Z3a7ZHhzximkJgNGGk
2022-04-19 12:39:05,198:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2022-04-19 12:39:05,198:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-04-19 12:39:05,593:DEBUG:certbot.main:certbot version: 0.40.0
2022-04-19 12:39:05,593:DEBUG:certbot.main:Arguments: ['--domains', 'dej.in.ua']
2022-04-19 12:39:05,594:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-04-19 12:39:05,601:DEBUG:certbot.log:Root logging level set at 20
2022-04-19 12:39:05,601:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu bionic

My hosting provider, if applicable, is:
digitalocean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
ISPConfig 3.2.8p1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

9peppe · April 19, 2022, 1:26pm

It might have been a temporary error. You should retry.

https://unboundtest.com/m/CAA/dej.in.ua/SVJIQE6N

edejin · April 19, 2022, 1:31pm

Thank you for your response!

I think same. But as I can see in logs this problem exist couple weeks.

9peppe · April 19, 2022, 1:33pm

Then I got lucky, and at least one of your authoritative nameservers is misbehaving.

edejin · April 19, 2022, 1:39pm

I know that's is not a "good practice", but I'm using same instance as primary and secondary nameserver. So for me would be surprise if one of them would not work correct. Also this instance contain another sites with letsencrypt certificate and other sites don't have problem like this.

9peppe · April 19, 2022, 1:43pm

I would check if there are known issues with your DNS software. There were some with some versions of powerdns.

MikeMcQ · April 19, 2022, 1:43pm

You did. I have tried several unboundtest and all failed with SERVFAIL

@edejin Do your sites that work have a CAA record in the DNS? As a test you could try removing CAA record.

petercooperjr · April 19, 2022, 1:47pm

Well, one of the in.ua DNS servers isn't responding, but I don't think that's really your core issue here.

https://dnsviz.net/d/dej.in.ua/dnssec/?rr=257&a=all&ds=all&ta=.&tk=

DNSViz did manage to find the CAA record, though. Unlike @9peppe, though, I did manage to reproduce the error using unboundtest:

https://unboundtest.com/m/CAA/dej.in.ua/2ACQD463

So, if your DNS server is sometimes failing, you probably need to check with whomever hosts your DNS to check their logs or whatever to figure out why it isn't responding correctly.

You might try removing the CAA record, just as a test, to see if your DNS server is better behaved returning NOERROR than trying to return a result, but I don't know as I have any reason for thinking it's work better; it's just something you could try.

edejin · April 19, 2022, 1:51pm

Thanks all for your responses!

Currently I'm using latest bind9.

Looks like I need to check bing logs twice

rg305 · April 19, 2022, 5:09pm

Are the working FQDNs from the same domain as the one that fails CAA?

edejin · April 21, 2022, 2:22am

Good morning!

yes. This domain also has no problem previously.

MikeMcQ · April 21, 2022, 2:33am

Good morning to you too (although night for me)

Right now I cannot reach dej.in.ua DNS at all.
Not with google dig
Not with unboundtest
Not with my own server doing dig
And dnsviz reported errors

rg305 · April 21, 2022, 2:39am

weird...
I get the A and CAA record.

edejin · April 21, 2022, 2:39am

Sorry that was reboot.

rg305 · April 21, 2022, 2:40am

You rebooted the DNS server?
Lord!
The DNS server is the web server [all-in-one]

9peppe · April 21, 2022, 2:41am

(do people actually see an advantage in hosting their own authoritative nameservers? I get it for stuff like file servers, mailservers, webservers, and the like. But a nameserver? Why would someone do that?)

(Yeah, I know, cPanel, ispconfig, plesk, and other noob-tools have the authoritative nameserver included -- that's not something a noob should have to worry about, goddammit)

rg305 · April 21, 2022, 2:42am

I do.
I run plenty of them - they take very little bandwidth and I like being in control - LOL
[but I also use common ones too]

MikeMcQ · April 21, 2022, 2:47am

Hurray. First time I have ever seen the CAA. I got SERVFAIL all prior tries

edejin · April 21, 2022, 2:47am

yes, I'm rebooted dns server because I can't understand why certbot can't renew letsencrypt certificates for "in.ua" domain.
Currently this issue exist for all my "in.ua" domains and subdomains. But everything working fine for other domains.
As I can see this problem doesn't exist before begin of April.

MikeMcQ · April 21, 2022, 2:49am

@rg305 Have you looked at dnsviz lately? Looks like something your expertise is needed for.
https://dnsviz.net/d/dej.in.ua/dnssec/