DNS validation failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.dualnok.gov.rs

I ran this command: certbot certonly --manual --preferred-challenges=dns -d dualnok.gov.rs -d www.dualnok.gov.rs

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: www.dualnok.gov.rs
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for www.dualnok.gov.rs - the domain's nameservers may be malfunctioning

My web server is (include version): non-relevan

The operating system my web server runs on is (include version):

RHEL 9.4
certbot-2.11.0-1.el9.noarch

My hosting provider, if applicable, is: 195.222.99.150

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.11.0

As an aside, while manual completion of the challenges may be useful for debugging, it's highly encouraged to automate acquiring and installing your certificates.

This means what is says, that while checking your CAA records, your servers aren't responding correctly. It looks like your authoritative servers don't know that they're authoritative (and some of them don't seem to be responding at all). While CAA records aren't required, your authoritative servers need to correctly reply that no record exists rather than an error.

Some selections from www.dualnok.gov.rs | DNSViz

  • dualnok.gov.rs zone: The server(s) did not respond authoritatively for the namespace. See RFC 1035, Sec. 4.1.1. (195.222.98.170, 195.222.98.171)
  • gov.rs zone: The server(s) were not responsive to queries over TCP. See RFC 1035, Sec. 4.2. (195.222.98.170, 195.222.98.171)
  • www.dualnok.gov.rs zone: The following NS name(s) did not resolve to address(es): oiomkmhoandn.dualnok.gov.rs
  • www.dualnok.gov.rs/CAA (NODATA): An SOA RR with owner name (dualnok.gov.rs) not matching the zone name (www.dualnok.gov.rs) was returned with the NODATA response. See RFC 1034, Sec. 4.3.4, RFC 2308, Sec. 2.2. (77.105.21.15, 82.117.223.167, UDP_-_EDNS0_4096_D_KN)

And it looks like requests for DNSKEY are just dropped instead of returning a "no records" code, which I don't think is directly related to your problem but also indicates a poorly-configured DNS server.

Another useful tool is Unboundtest, which queries your servers in a similar way to how Let's Encrypt does:

https://unboundtest.com/m/CAA/www.dualnok.gov.rs/DTCQ2IA3

And if you're not familiar with CAA, you may want to read through Let's Encrypt documentation of it describing what it's for, and why they can't issue if your DNS server is reporting errors for it. (Look at the CAA Errors section.)

But the short of it is that you need to have working domain nameservers before one can get a certificate.

4 Likes