DNS problem: SERVFAIL looking up CAA

Hello,

I am having a problem renewing my certificate for the domain 162skate.org
I tried both DNS and WEB challenges without any success.

command runned:
$ certbot certonly --manual -d 162skate.org --preferred-challenges=dns -v

With the DNS challenge, it asked me to create the acme challenge TXT record, which i did.
but after validating it, i have the following error:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:                                                                                                
  Domain: 162skate.org                                                                                     
  Type:   dns                                                                                              
  Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for 162skate.org - the domain's nameservers may be malfunctioning                                                                          
                                                                                                           
Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

I also created the CAA record for 162skate.orgm but it still doesn't work.
Any guess about the error received?

Thank you in advance!

Logs received:

HTTP 200                                                                                                                                                                                                               
Server: nginx                                                                                                                                                                                                          
Date: Wed, 15 May 2024 08:56:18 GMT                                                                                                                                                                                    
Content-Type: application/json                                                                                                                                                                                         
Content-Length: 754                                                                                                                                                                                                    
Connection: keep-alive                                                                                                                                                                                                          
Boulder-Requester: 290956220                                                                                                                                                                                           
Cache-Control: public, max-age=0, no-cache                                                                 
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"                                                                                                                                                     
Replay-Nonce: 6Jd4kJYiY43cXJAQEIknoCh3srGMO0vWDJ2orXantYr3YaxYnkg                                                                                                                                                      
X-Frame-Options: DENY                                                                                      
Strict-Transport-Security: max-age=604800                                                                  
                                                                                                           
{                                                                                                              
  "identifier": {                                                                                          
    "type": "dns",                                                                                             
    "value": "162skate.org"                                                                                
  },                                                                                                        
  "status": "invalid",                                                                                                                                                                                                   
  "expires": "2024-05-22T08:55:27Z",                                                                                                                                                                                           
  "challenges": [                                                                                                                                                                                                          
    {                                                                                                                                                                                                                          
      "type": "dns-01",                                                                                                                                                                                                    
      "status": "invalid",                                                                                                                                                                                                     
      "error": {                                                                                                                                                                                                           
        "type": "urn:ietf:params:acme:error:dns",                                                                                                                                                                              
        "detail": "During secondary validation: DNS problem: SERVFAIL looking up CAA for 162skate.org - the domain's nameservers may be malfunctioning",                                                                   
        "status": 400                                                                                                                                                                                                          
      },                                                                                                                                                                                                                    
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/350996717297/sL-bEg",                                                                                                                                         
      "token": "hiqnBgmi4qMlLsEn9I4B9HA5JUiJhz3tEd18WvileV4",                                                                                                                                                                   
      "validationRecord": [                                                                                                                                                                                                     
        {                                                                                                                                                                                                                       
          "hostname": "162skate.org"                                                                            
        }                                                                                                                                                                                                                        
      ],                                                                                                        
      "validated": "2024-05-15T08:56:13Z"                                                                       
    }                                                                                                           
  ]                                                     
}

There are some DNS errors visible at 162skate.org | DNSViz. My advice is to first fix those and afterwards try again.

Also, but not related to your current problem: is there a specific reason why you're using the dns-01 challenge and then also with the manual plugin, which is difficult if not impossible to automate? Can't you use the Route53 DNS plugin?

3 Likes

i didnt see anything about a route53 plugin. Do you have more information or doc on it?

It's mentioned in the DNS Plugins section of the Certbot User Guide at User Guide — Certbot 2.10.0 documentation.

It's documentation can be found at Welcome to certbot-dns-route53’s documentation! — certbot-dns-route53 0 documentation.

3 Likes