DNS Problem: SERVFAIL looking up TXT for _acme-challenge.X - the domain's nameservers may be malfunctioning

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sibroschina.tech

I ran this command: sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook 'acme-dns-client' -d app.sibroschina.tech

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for app.sibroschina.tech

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: app.sibroschina.tech
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.app.sibroschina.tech - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): NA

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: cndns.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cndns.com

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.4

Im trying to create a acme dns server hosted on my ubuntu machine but im getting this error in the logs -->
2023-11-28 02:39:28,386:INFO:certbot._internal.auth_handler:Challenge failed for domain app.sibroschina.tech
2023-11-28 02:39:28,386:INFO:certbot._internal.auth_handler:dns-01 challenge for app.sibroschina.tech
2023-11-28 02:39:28,386:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: app.sibroschina.tech
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.app.sibroschina.tech - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

2023-11-28 02:39:28,387:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-11-28 02:39:28,387:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-11-28 02:39:28,387:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-11-28 02:39:28,388:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/3462/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1873, in main
return config.func(config, plugins)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/3462/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-11-28 02:39:28,404:ERROR:certbot._internal.log:Some challenges have failed.

I see the CNAME:

_acme-challenge.app.sibroschina.tech canonical name = f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech

But that [long] name doesn't resolve to any IP.

Tried:

nslookup f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech a.ezdnscenter.com
nslookup f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech b.ezdnscenter.com

Yeah, I too see an issue using Let's Debug with these results https://letsdebug.net/app.sibroschina.tech/1690997?debug=y

TXTRecordError
FATAL
An error occurred while attempting to lookup the TXT record on _acme-challenge.app.sibroschina.tech . Any resolver errors that the Let's Encrypt CA encounters on this record will cause certificate issuance to fail.
DNS response for _acme-challenge.app.sibroschina.tech/TXT did not have an acceptable response code: SERVFAIL

Yet https://unboundtest.com/ doesn't seem to be having an issue
https://unboundtest.com/m/TXT/_acme-challenge.app.sibroschina.tech/PSBTF5AE

Really? servfail

image1611×291 32.8 KB

Sorry! Thanks for catching that @MikeMcQ

Sorry i didnt understand what changes i need to do to make it work?

The CNAME has no IP:

auth.sibroschina.tech is mapped to an ip address as well ns record is also added

Do you understand how CNAMEs work?
"f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech" has no IP.

yes i know i have done the setup in the other env but somehow its failing for this env
and i haven't created any record for this one f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech

Above record was prompted at the time of new domain registration which using certbot and add above entry aginst _acme-challenge.app.sibroschina.tech

You have. There is a CNAME for the ACME Challenge for your app subdomain. It goes to a subdomain of your auth domain. But, there is no IP address (A record) for that auth subdomain

 dig +noall +answer CNAME _acme-challenge.app.sibroschina.tech

_acme-challenge.app.sibroschina.tech. 286 IN CNAME f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech.

auth.sibroschina.tech is mapped to acme dns server ip address

I don't think so. Please see the Errors described here

https://dnsviz.net/d/_acme-challenge.app.sibroschina.tech/dnssec/

I'll share the screenshot once i get the dns access .. but im 100% confident that its mapped to ip address of acme dns server (public ip )
Maybe some issue with the cndns provider not sure

The problem is not with "auth.sibroschina.tech".
The problem is with "f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech".

and what should be the expected record for this f1812fa2-256a-4550-810c-cc4567b0f690.auth.sibroschina.tech?

i didnt know that we have to create an entry for this as well?

I will repeat myself [once]:

ok can you explain to me what is cname ? and how does it work over here .

You appear to be missing an NS record delegation for the auth.sibroschina.tech sub-zone. It tells the Internet that DNS requests for *.auth.sibroschina.tech need to be directed to the acme-dns server's public IP.