DNS problem: SERVFAIL looking up TXT for _acme-challenge

I’m getting DNS problem: SERVFAIL looking up TXT for _acme-challenge.nimroddayan.com error.
I want to setup auto-renewing wildcard LetsEncrypt certificates on Namecheap using certbot + acme-dns for my domain: nimroddayan.com. I followed this guide on Ubuntu server 18.04.

After setting up acme-dns and Namecheap A, NS and CNAME records and getting the manual auth hook script from here, I ran this command:

sudo certbot certonly -d “*.nimroddayan.com” -d “nimroddayan.com” --agree-tos --manual-public-ip-logging-ok --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --debug-challenges

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for nimroddayan.com
dns-01 challenge for nimroddayan.com
Waiting for verification…
Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.
Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. nimroddayan.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.nimroddayan.com

• The following errors were reported by the server:
  Domain: nimroddayan.com
  Type: None
  Detail: DNS problem: SERVFAIL looking up TXT for
  _acme-challenge.nimroddayan.com

My web server is (include version):
Acme-dns v0.7.2

The operating system my web server runs on is (include version):
Ubuntu server 18.04

certbot 0.23.0

$ dig _acme-challenge.nimroddayan.com txt
; <<>> DiG 9.10.6 <<>> _acme-challenge.nimroddayan.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7310
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.nimroddayan.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.nimroddayan.com. 1794 IN CNAME 4cc69dec-b312-4acf-8a7a-a77b86c06c34.acme.nimroddayan.com.
;; Query time: 102 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Aug 25 10:13:53 EEST 2019
;; MSG SIZE rcvd: 116that’s

So acme-dns is running on ns1.nimroddayan.com?

Are you sure you have port 53 TCP and UDP opened on its firewall?

Hi @nimroddayan

checking with Unboundtest there is a timeout.

https://unboundtest.com/m/TXT/_acme-challenge.nimroddayan.com/BDJMTZZO

Unboundtest uses the same configuration as Letsencrypt, so Letsencrypt has the same timeout.

Oh, that's simple.

Checked manual, you have a CNAME to 4cc69dec-b312-4acf-8a7a-a77b86c06c34.acme.nimroddayan.com.

That's your own name server - ns1.nimroddayan.com

ns1.nimroddayan.com internet address = 212.80.207.37
ns1.nimroddayan.com AAAA IPv6 address = fe80::250:56ff:fe33:d539

But your AAAA address is wrong, that's a private address. And your 212.* doesn't answer.

Yes, ns1.nimroddayan.com is where acme-dns is running on port 53.
When I run: sudo ufw status, I can see that port 53 is open both for tcp/udp.

I removed the AAAA record and I’m left with only A record now.
I’m not sure why it is not responding.

I checked acme-dns status and I see:
$ sudo systemctl status acme-dns
● acme-dns.service - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely
Loaded: loaded (/etc/systemd/system/acme-dns.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-08-25 07:41:58 UTC; 2s ago
Main PID: 10982 (acme-dns)
Tasks: 5 (limit: 1111)
CGroup: /system.slice/acme-dns.service
└─10982 /usr/local/bin/acme-dns

Aug 25 07:41:58 Orchid systemd[1]: Started Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=info msg=“Using config file” file=/etc/acme-dns/config.cfg
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=info msg=“Connected to database”
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=debug msg=“Adding new record to domain” domain=acme.nimroddayan.com. recordtype=A
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=debug msg=“Adding new record to domain” domain=ns1.nimroddayan.com. recordtype=A
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=debug msg=“Adding new record to domain” domain=acme.nimroddayan.com. recordtype=NS
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=debug msg=“Adding new record to domain” domain=acme.nimroddayan.com. recordtype=SOA
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=info msg=“Listening HTTP” host=“127.0.0.1:9000”
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=info msg=“Listening DNS” addr=“127.0.0.1:53” proto=udp
Aug 25 07:41:58 Orchid acme-dns[10982]: time=“2019-08-25T07:41:58Z” level=info msg=“Listening DNS” addr=“127.0.0.1:53” proto=tcp

Here’s a snippet of my acme-dns config:
[general]
listen = “127.0.0.1:53”
protocol = “both”
domain = “acme.nimroddayan.com”
nsname = “ns1.nimroddayan.com”
nsadmin = “admin.nimroddayan.com”
records = [
“acme.nimroddayan.com. A 212.80.207.37”,
“ns1.nimroddayan.com. A 212.80.207.37”,
“acme.nimroddayan.com. NS ns1.nimroddayan.com.”,
]

Unless there’s some kind of forwarding set up, it needs to listen on 0.0.0.0 or the applicable non-localhost IP, not just 127.0.0.1.

I tried with 0.0.0.0 just now and acme-dns failed to start.
I changed to the public IP and it works now!

Thank you all so much!

I wrote a Github Gist with updates to the original tutorial I followed in case anybody else is interested.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.