ERROR: Challenge is invalid! DNS problem: SERVFAIL looking up TXT

broedli · August 31, 2016, 6:58pm

Please fill out the fields below so we can help you better.

My domain is:
imap.lampensau.org pop3.lampensau.org smtp.lampensau.org mail.lampensau.org imap.dimmerwache.de …

I ran this command:
./letsencrypt.sh --cron --challenge dns-01 --hook pdns_api.sh --domain …

It produced this output:

Requesting challenge for mail.dimmerwache.de…
Requesting challenge for imap.dimmerwache.de…
Requesting challenge for smtp.dimmerwache.de…
Requesting challenge for pop3.dimmerwache.de…
Requesting challenge for imap.lampensau.org…
Requesting challenge for mail.pultschlampe.de…
Requesting challenge for imap.pultschlampe.de…
Requesting challenge for smtp.pultschlampe.de…
Requesting challenge for pop3.pultschlampe.de…
Requesting challenge for smtp.lampensau.org…
Requesting challenge for pop3.lampensau.org…
Responding to challenge for mail.dimmerwache.de…
Challenge is valid!
Responding to challenge for imap.dimmerwache.de…
Challenge is valid!
Responding to challenge for smtp.dimmerwache.de…
Challenge is valid!
Responding to challenge for pop3.dimmerwache.de…
Challenge is valid!
Responding to challenge for imap.lampensau.org…
ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: SERVFAIL looking up TXT for _acme-challenge.imap.lampensau.org”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/NUDEvdA9dHXWf9xHZ4FisuHXu-G5pz7HCw12CJmNzPY/250942525”,
“token”: “hxWE2mlRr3xo9ZrSlcNi9v2smGihZAZm7RMMm8U8sDs”,
“keyAuthorization”: “hxWE2mlRr3xo9ZrSlcNi9v2smGihZAZm7RMMm8U8sDs.aeFuFrgAVD169KXmTWqShjlN3C6UxnwpF6FKdokwGtc”
})

My operating system is (include version):
uname -a
Linux Hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2+deb8u3 (2016-07-02) x86_64 GNU/Linux

My web server is (include version):
None

My hosting provider, if applicable, is:
netcup.de

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Hi there,
I’m currently trying to get certificates for a mailserver of mine and am hitting a brick wall so to speak.
All domains are managed on the same 3 nameservers but one constantly failes (lampensau.org). Im using letsencrypt.sh with the pdns_api.sh and when I query my nameservers after starting letsencrypt.sh (300s waittime till it verifies with my nameservers) I get NOERROR and a payload with every domain. All domains succeed except the lampensau.org one and I have no clue why … HELP!!

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36248
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN TXT

;; ANSWER SECTION:
_acme-challenge.imap.lampensau.org. 1 IN TXT “9iM0zsAkSHLq1IoL-_HOApmTsEqx4-KUPVu4Vg1nLsc”

;; Query time: 6 msec
;; SERVER: 2a03:4000:6:50e4::2#53(2a03:4000:6:50e4::2)
;; WHEN: Wed Aug 31 20:33:38 CEST 2016
;; MSG SIZE rcvd: 119

Ive checked every nameserver and the payload is the same across all 3. I don’t know what is wrong here.

I’m currently running PowerDNS 4.0.1

tialaramex · August 31, 2016, 8:11pm

Hmm. I see SERVFAIL just like Let’s Encrypt / Boulder.

It seems as though maybe there’s a configuration problem with PowerDNS ? Make sure you are using a process to obtain an authoritative answer, since Boulder insists upon finding one, it won’t accept an answer from a cache. So you may want to walk through the steps starting from the DNS root, at each stage asking a DNS server for an authoritative answer as to where to find the next layer of DNS servers. I think when you reach lampensau.org. you will see SERVFAIL this way.

Osiris · August 31, 2016, 8:14pm

I’m getting a NXDOMAIN?

osiris@desktop ~ $ dig _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de

; <<>> DiG 9.10.3-P4 <<>> _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63635
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN	TXT

;; AUTHORITY SECTION:
lampensau.org.		3600	IN	SOA	ns1.dimmerwache.de. admin.dimmerwache.de. 2016083161 10800 3600 604800 3600

;; Query time: 18 msec
;; SERVER: 2a03:4000:6:50e4::2#53(2a03:4000:6:50e4::2)
;; WHEN: Wed Aug 31 22:12:25 CEST 2016
;; MSG SIZE  rcvd: 123

osiris@desktop ~ $

broedli · August 31, 2016, 8:32pm

First thanks for your answers!

@Osiris The entries for the acme challenge got deleted after the failed request by the letsencrypt.sh hook. I let it run one more time without deleting the records afterwards.

dig _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @ns1.dimmerwache.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18770
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN    TXT

;; ANSWER SECTION:
_acme-challenge.imap.lampensau.org. 1 IN TXT    "kKSOTCSEn_UJzHM2-4j9u_pqMPxNCCSsa0-MUVVI_Wo"

;; Query time: 6 msec
;; SERVER: 2a03:4000:6:50e4::2#53(2a03:4000:6:50e4::2)
;; WHEN: Wed Aug 31 22:36:49 CEST 2016
;; MSG SIZE  rcvd: 119

@tialaramex I’m not the most knowledgeable concerning DNS so please bare with me. Authoritative servers should be my own (ns1. - ns4.dimmerwache.de)? I tried a bunch of different DNS servers (i.e. google, opendns, …)

;; AUTHORITY SECTION:
lampensau.org.        86400    IN    NS    ns1.dimmerwache.de.
lampensau.org.        86400    IN    NS    ns3.dimmerwache.de.
lampensau.org.        86400    IN    NS    ns4.dimmerwache.de.

Osiris · August 31, 2016, 8:42pm

Works indeed from The Netherlands.. NOERROR.

broedli · August 31, 2016, 8:56pm

I tried to follow your advice, even though I don't know if I got it right ...

dig _acme-challenge.imap.lampensau.org txt @a.root-servers.net

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10959

--

dig _acme-challenge.imap.lampensau.org txt @a0.org.afilias-nst.info

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> _acme-challenge.imap.lampensau.org txt @a0.org.afilias-nst.info
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35141

In case I understood your tip correct I can't spot an error accross the chain (org root -> my own nameservers ...

Please advise.

tialaramex · September 1, 2016, 8:51pm

dig -t txt  _acme-challenge.imap.lampensau.org

; <<>> DiG 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <<>> -t txt _acme-challenge.imap.lampensau.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44806
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.imap.lampensau.org. IN TXT

;; Query time: 11 msec
;; SERVER: 217.169.20.20#53(217.169.20.20)
;; WHEN: Thu Sep 01 21:49:52 BST 2016
;; MSG SIZE  rcvd: 63

But on the other hand, now when I ask an authoritative server ns4.dimmerwache.de, I get NXDOMAIN

system · October 1, 2016, 8:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.