Fails with "SERVFAIL looking up A"


#1

Hey,

My domain is: trololo.report-it.trade

I ran this command: certbot certonly --non-interactive --agree-tos --standalone --email romans.krjukovs@gmail.com -d trololo.report-it.trade --debug

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for trololo.report-it.trade
Waiting for verification…
Cleaning up challenges
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.11.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 882, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 659, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 108, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 294, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 265, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. trololo.report-it.trade (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for trololo.report-it.trade

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: trololo.report-it.trade
    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for
    trololo.report-it.trade

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

My web server is (include version): nginx

My hosting provider, if applicable, is: Amazon EC2 + Amazon Route53 for DNS hosting

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

DNS requests looks ok:
rkrjukovs$ dig trololo.report-it.trade A

; <<>> DiG 9.8.3-P1 <<>> trololo.report-it.trade A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28197
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;trololo.report-it.trade. IN A

;; ANSWER SECTION:
trololo.report-it.trade. 59 IN A 52.87.250.202

;; Query time: 382 msec
;; SERVER: 192.168.1.15#53(192.168.1.15)
;; WHEN: Wed Apr 19 15:34:01 2017
;; MSG SIZE rcvd: 57

Pls, advise.

Thank You!

/Romans


#2

The domain has a broken DNSSEC configuration. It only looks okay on resolvers that don’t validate.

http://dnsviz.net/d/trololo.report-it.trade/dnssec/

You need to go to your registrar and delete the DS record.

Edit: Or go to your registrar and switch the DNS back to Cloudflare (and perhaps update the DS too).


#3

Got it.
AWS Route53 DNS service does not support DNSSEC.
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html

Thanks!

/Romans


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.