DNS problem: SERVFAIL looking up CAA


Hi folks!

When trying to request a new certificate for a newly added host to my domain I keep running into SERVFAIL errors. I am doing this using the LE module for Ansible, and I’ve been using this for quite some time now, so I’m less inclined to think the issue is in the software.

From what I can see is that I’m doing everything right, DNSSEC checks out, CAA is defined etc… What is the LE resolver doing differently then the rest of the world? :slight_smile:

The only difference is that this is the first certificate I am requesting with a dash in the name.

Thanks in advance!



Hi @Thulium-Drake

there is no dns entry with that domain.


Not an A, AAAA and no _acme-challenge - record. So http-01- and dns-01 validation can’t work


Hi @JuergenAuer,

Well there is a CNAME record for this domain, but it points to something that isn’t resolvable from the Internet… As I want to use this certificate on a internal server (but I still want the complete chain of trust without rolling my own CA).

Is my assumption correct that LE will do someting along the lines of:

  1. resolve auth-zm1.element-networks.nl -> auth.zm1.element-networks.nl
  2. resolve auth.zm1.element-networks.nl, which is being served by ns1-zm1.element-networks.nl, but because ns1-zm1.element-networks.nl lives on it will never resolve from the Internet.
  3. Scream panic and fire.

Is there any valid way to request certificates like this for stuff that lives inside (I’m not yet mentally prepared to open up LDAP to the world :wink: )? Or is the only way with wildcards?

Thanks in advance!


You don’t need a public A-record to get a certificate. But then you have to use dns-01 - validation and create a dns text entry


with a special value. But: New certificate order -> new special value, so you have to do that every 60 - 90 days. So normally you should use an API of your dns provider.

Or you use a redirect

_acme-challenge.auth-zm1.element-networks.nl CNAME otherDNSServerWithOwnApi

so you can use the API of another service.

And if you have to use dns-01 - validation, you may order a wildcard certificate. Then you need only one certificate :wink:


Well, I do use DNS validation, as it is the easiest one (especially when you need to request certificates for stuff that doesn’t necessarily uses HTTP) and I have automated the whole process in my Ansible playbooks (soon on my Github page ^^), so adding a new cert is actually easier for me then rewriting it for a wildcard :slight_smile: (and I run my own DNS master, so API access is no issue)

Just as a test, I’ve replaced the CNAME (which points to a unresolvable name) with an A record with it’s internal IP, works like a charm. Sooo, my guess is that LE wants to resolve any CNAMEs first and check their destinations.


Ultimately, LE just needs to be able to resolve (from the Internet) a TXT record for _acme-challenge.<site FQDN>. If that name is a CNAME pointing somewhere else, the target needs to have a TXT record associated with it that contains the expected key authorization value.

The TXT record needs to be resolvable from the Internet. And whatever CNAME(s) you have in place need to direct the original query to that record.


Yes. If you use a CNAME, there should something exist.

If I know it correct, a dns server sends different results, if there is no CAA entry, but one other entry exists or doesn’t exist. The first is ok, the second is an error.


Well that settles it then :slight_smile: note to self: make sure the destination CNAME exists on the Internet, or just register an A record with an internal IP.

Thanks for helping me out!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.