Error 'urn:acme:error:connection': DNS problem: SERVFAIL

JakeWarner · March 31, 2016, 7:26pm

Hi all,

Currently writing a golang package that’ll be packaged with our frontend and automatically attempt to get a certificate once deployed.

Everything seems to be working well until I get to handling the challenges. I can’t seem to get LE to resolve my domain: “Challenge failed: acme error ‘urn:acme:error:connection’: DNS problem: SERVFAIL looking up A for cycle.io”

http://dnscheck.pingdom.com/?domain=cycle.io seems to indicate that our domain is configured properly. Am I missing something?

Response time seems good.

dig cycle.io @ns1.cycle.io

; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc22 <<>> cycle.io @ns1.cycle.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42639
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cycle.io.			IN	A

;; ANSWER SECTION:
cycle.io.		1800	IN	A	173.236.68.14

;; AUTHORITY SECTION:
cycle.io.		14400	IN	NS	ns1.cycle.io.
cycle.io.		14400	IN	NS	ns2.cycle.io.

;; ADDITIONAL SECTION:
ns1.cycle.io.		14400	IN	A	162.243.20.13
ns2.cycle.io.		14400	IN	A	198.199.117.201

;; Query time: 24 msec
;; SERVER: 162.243.20.13#53(162.243.20.13)
;; WHEN: Thu Mar 31 14:27:32 CDT 2016
;; MSG SIZE  rcvd: 174

Thank you.

pfg · March 31, 2016, 8:29pm

Your DNS servers are failing when presented with mixed-case queries, which Let’s Encrypt uses:

dig @ns2.cycle.io. CyCLe.Io. a

; <<>> DiG 9.8.3-P1 <<>> @ns2.cycle.io. CyCLe.Io. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 7737
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;CyCLe.Io.			IN	A

;; Query time: 316 msec
;; SERVER: 198.199.117.201#53(198.199.117.201)
;; WHEN: Thu Mar 31 22:27:44 2016
;; MSG SIZE  rcvd: 26

(Unbound converts REFUSED to SERVFAIL, so that’s what the CA server is reporting.)

JakeWarner · April 14, 2016, 10:51pm

Thanks, this solved it!

system · May 14, 2016, 10:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.