Error install let’s encrypt on Debian 10

Good afternoon,

I have a problem when trying to install the certificate for a domain.

I have my own server with Debian 10 and apache2 installed on which I host some sites.

I use the DNS server of the locaweb and in it I have only two A records, one for www.dominio.com and another for dominio.com.

On the router and firewall I released port 443 for traffic.

I ran the command below on the terminal:

sudo certbot --apache

I informed all the requested information and got the error below:

DNS problem: SERVFAIL looking up CAA for www.domain.com - the domain’s nameservers may be malfunctioning

Should I do any configuration on my server? Is there any entry missing from the DNS records?

Any help will be welcome.

Thank you!

There appear to be broken DNS servers. When asked for a CAA record (which, if it exists, specifies which CAs are allowed to issue certs for your domain), your DNS server returned an error, which shouldn't happen. It's OK to say "there's no such record", but your DNS host returned a failure instead.

danb35, thanks for your reply.

My domain is registered by locaweb. There I pointed to the DNS servers of the locaweb and made appointments to my Debian server.

Can you tell me if the error that is returning is due to a failure in the DNS servers in the locaweb or in my Debian server?

The locaweb does not allow the creation of CA records, is it necessary to create such a record to install the certificate?

The former.

No, it's perfectly OK to not have a CAA record. What isn't OK is for the DNS server to respond with a failure when queried for one.

Can you tell me what may be happening on my Debian server that is returning this error? And how should I proceed in order to correct the error?

It's nothing on your Debian server, it's an error on the part of your DNS provider.

Do you believe that this error on the part of the DNS server can be solved by creating some record in the DNS or is it an error that must be analyzed by the team of locaweb, supplier of the DNS server?

SERVFAILs can be tricky to track down because they don't always happen consistently. Something like temporary "bad weather" on the internet can trigger it, in which case there's nothing to be done.

How many times did you try? If you try again, does it happen every time?

Did you redact this error message? Was the domain in here your www.dominio.com one?

1 Like

_az thanks for your reply.

I've tried over the course of a few days to perform the installation and it always returns the same error.

I just changed the domain on the return, the real one is parsoni.com.

Hi @StraightFree

your name servers are buggy - https://check-your-website.server-daten.de/?q=parsoni.com

Non-www has an ip address, www a Server Failure:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
parsoni.com A 200.161.185.204 São Paulo/Brazil (BR) - TELEFÔNICA BRASIL S.A Hostname: 200-161-185-204.dsl.telesp.net.br yes 1 0
www.parsoni.com Server failure yes 3 0

ns1.locaweb.com.br is one.

X Nameserver Timeout checking Echo Capitalization: ns3.locaweb.com.br / 189.126.101.254
X Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns1.locaweb.com.br
X Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns2.locaweb.com.br
X Fatal error: Nameserver doesn't support EDNS with max. 512 Byte Udp payload or sends more then 512 Bytes: ns3.locaweb.com.br

And CAA + simple TXT checks:

Only Server Failures.

Same with Unboundtest - https://unboundtest.com/m/CAA/parsoni.com/CD3LLRCQ

Response:
;; opcode: QUERY, status: SERVFAIL, id: 54368
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;parsoni.com. IN CAA

So your name servers are terrible. Looks like a very old software.

Indeed, you need to tell Locaweb to try this query:

$ dig @ns1.locaweb.com.br parsoni.com caa

; <<>> DiG 9.16.1-Ubuntu <<>> @ns1.locaweb.com.br parsoni.com caa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11864
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;parsoni.com.                   IN      CAA

;; Query time: 403 msec
;; SERVER: 186.202.8.254#53(186.202.8.254)
;; WHEN: Thu Apr 30 09:19:18 AEST 2020
;; MSG SIZE  rcvd: 29

Since they are an EIG brand, it might take a while for them to fix it. In the meantime you could choose another DNS host. There are some good free ones like Cloudflare (just the DNS, not the CDN bits).

JuergenAuer,

Thanks for your reply.

As the domain redirection service was working, I had not noticed the problem with the locaweb’s DNS.
I will study other alternatives, including installing the DNS server on my Debian.
But as I don’t know much about it, I will have to study a little.

Thanks again for the help.

If you don't know much about it, running your own public DNS server probably isn't the best option. Follow Jürgen's advice instead and use Cloudflare for your DNS--it's free.

_az,

I really believe that support would take too long.
I have tried 3 times to contact them about the problem and the answer is always the same: “you need to consult your hosting provider”. They look like robots talking! kkkkkk

So, I will try the cloudfire alternative in the short term and study how to implement a DNS server in Debian so that I can manage everything internally.

Again, thanks for the answer.

I would like to thank everyone who helped with the problem.

Can solve using the DNS of cloudfire. Now, I will study about the implementation of my own DNS.

But at first I was able to make it work and install the Lets Encrypt certificate.

Once again thank you all for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.