Fails with "SERVFAIL looking up A"


My domain is:

I ran this command: certbot certonly --non-interactive --agree-tos --standalone --email -d --debug

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.11.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/”, line 882, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/”, line 659, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/”, line 108, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/”, line 294, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/”, line 265, in obtain_certificate
File “/usr/lib/python2.7/dist-packages/certbot/”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for


  • The following errors were reported by the server:

    Type: connection
    Detail: DNS problem: SERVFAIL looking up A for

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial

My web server is (include version): nginx

My hosting provider, if applicable, is: Amazon EC2 + Amazon Route53 for DNS hosting

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

DNS requests looks ok:
rkrjukovs$ dig A

; <<>> DiG 9.8.3-P1 <<>> A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28197
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

; IN A


;; Query time: 382 msec
;; WHEN: Wed Apr 19 15:34:01 2017
;; MSG SIZE rcvd: 57

Pls, advise.

Thank You!


The domain has a broken DNSSEC configuration. It only looks okay on resolvers that don’t validate.

You need to go to your registrar and delete the DS record.

Edit: Or go to your registrar and switch the DNS back to Cloudflare (and perhaps update the DS too).

1 Like

Got it.
AWS Route53 DNS service does not support DNSSEC.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.