ERROR: Challenge is invalid! DNS problem: SERVFAIL looking up TXT


#1

Please fill out the fields below so we can help you better.

My domain is:
imap.lampensau.org pop3.lampensau.org smtp.lampensau.org mail.lampensau.org imap.dimmerwache.de

I ran this command:
./letsencrypt.sh --cron --challenge dns-01 --hook pdns_api.sh --domain …

It produced this output:

My operating system is (include version):
uname -a
Linux Hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2+deb8u3 (2016-07-02) x86_64 GNU/Linux

My web server is (include version):
None

My hosting provider, if applicable, is:
netcup.de

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Hi there,
I’m currently trying to get certificates for a mailserver of mine and am hitting a brick wall so to speak.
All domains are managed on the same 3 nameservers but one constantly failes (lampensau.org). Im using letsencrypt.sh with the pdns_api.sh and when I query my nameservers after starting letsencrypt.sh (300s waittime till it verifies with my nameservers) I get NOERROR and a payload with every domain. All domains succeed except the lampensau.org one and I have no clue why … HELP!!

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36248
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN TXT

;; ANSWER SECTION:
_acme-challenge.imap.lampensau.org. 1 IN TXT “9iM0zsAkSHLq1IoL-_HOApmTsEqx4-KUPVu4Vg1nLsc”

;; Query time: 6 msec
;; SERVER: 2a03:4000:6:50e4::2#53(2a03:4000:6:50e4::2)
;; WHEN: Wed Aug 31 20:33:38 CEST 2016
;; MSG SIZE rcvd: 119

Ive checked every nameserver and the payload is the same across all 3. I don’t know what is wrong here.

I’m currently running PowerDNS 4.0.1


#2

Hmm. I see SERVFAIL just like Let’s Encrypt / Boulder.

It seems as though maybe there’s a configuration problem with PowerDNS ? Make sure you are using a process to obtain an authoritative answer, since Boulder insists upon finding one, it won’t accept an answer from a cache. So you may want to walk through the steps starting from the DNS root, at each stage asking a DNS server for an authoritative answer as to where to find the next layer of DNS servers. I think when you reach lampensau.org. you will see SERVFAIL this way.


#3

I’m getting a NXDOMAIN? :thinking:

osiris@desktop ~ $ dig _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de

; <<>> DiG 9.10.3-P4 <<>> _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63635
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN	TXT

;; AUTHORITY SECTION:
lampensau.org.		3600	IN	SOA	ns1.dimmerwache.de. admin.dimmerwache.de. 2016083161 10800 3600 604800 3600

;; Query time: 18 msec
;; SERVER: 2a03:4000:6:50e4::2#53(2a03:4000:6:50e4::2)
;; WHEN: Wed Aug 31 22:12:25 CEST 2016
;; MSG SIZE  rcvd: 123

osiris@desktop ~ $

#4

First thanks for your answers!

@Osiris The entries for the acme challenge got deleted after the failed request by the letsencrypt.sh hook. I let it run one more time without deleting the records afterwards.

dig _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18770
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN    TXT

;; ANSWER SECTION:
_acme-challenge.imap.lampensau.org. 1 IN TXT    "kKSOTCSEn_UJzHM2-4j9u_pqMPxNCCSsa0-MUVVI_Wo"

;; Query time: 6 msec
;; SERVER: 2a03:4000:6:50e4::2#53(2a03:4000:6:50e4::2)
;; WHEN: Wed Aug 31 22:36:49 CEST 2016
;; MSG SIZE  rcvd: 119

@tialaramex I’m not the most knowledgeable concerning DNS so please bare with me. Authoritative servers should be my own (ns1. - ns4.dimmerwache.de)? I tried a bunch of different DNS servers (i.e. google, opendns, …)

;; AUTHORITY SECTION:
lampensau.org.        86400    IN    NS    ns1.dimmerwache.de.
lampensau.org.        86400    IN    NS    ns3.dimmerwache.de.
lampensau.org.        86400    IN    NS    ns4.dimmerwache.de.

#5

Works indeed from The Netherlands… NOERROR.


#6

I tried to follow your advice, even though I don’t know if I got it right …

dig _acme-challenge.imap.lampensau.org txt @a.root-servers.net

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10959

dig _acme-challenge.imap.lampensau.org txt @a0.org.afilias-nst.info

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @a0.org.afilias-nst.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35141

In case I understood your tip correct I can’t spot an error accross the chain (org root -> my own nameservers …

Please advise.


#7
dig -t txt  _acme-challenge.imap.lampensau.org

; <<>> DiG 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <<>> -t txt _acme-challenge.imap.lampensau.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44806
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN TXT

;; Query time: 11 msec
;; SERVER: 217.169.20.20#53(217.169.20.20)
;; WHEN: Thu Sep 01 21:49:52 BST 2016
;; MSG SIZE  rcvd: 63

But on the other hand, now when I ask an authoritative server ns4.dimmerwache.de, I get NXDOMAIN


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.