Getting SERVFAIL (A) when using certbot --nginx

My domain is:

I ran this command: sudo certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS (focal)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.19.0

i've also checked these:

bought the domain from porkbun. it has dnssec which i havent touched it. anything that i missed?

1 Like

DNSSEC is enabled on the domain but isn't setup on the Porkbun nameservers. This makes the domain unresolveable.

The first thing you'll probably want to do is login to your domain registrar (Porkbun I guess) and disable DNSSEC.

You may need to wait a little while after that, then you should be able to issue a certificate.

Finally, you can try to enable DNSSEC again if you want, carefully following the instructions. Hopefully it goes better the second time.


deleting DNSSEC Record helped. Thanks alot @_az :+1:


Alternatively, you could get DNSSEC working properly. With a recent version of bind9 (i.e. 9.16+), it's really easy (just add "dnssec-policy default;" to the zone {} stanza), and porkbun have good support for it. It's easy to upload the DS record there after bind9 has created the corresponding CDS record. By the way, it looks like DNSSEC might still be partially set up but very bogus for your domain. You can see this with | DNSViz

1 Like

hi @raf, i've rescanned again ( | DNSViz), this is what i saw.

hmmm, still confused with bind9 actually (im new with all those stuffs so i have to do some homework)

1 Like

That's just saying that there is no DNSSEC now. Which is fine. You don't need DNSSEC for LetsEncrypt. But if you want to setup DNSSEC, and you already use bind9.16+, it has become incredibly easy. I recommend reading DNSSEC Guide — BIND 9 documentation and subscribing to the bind users mailing list if you need help, but the short version is: add "dnssec-policy default;" to your zone {} stanza, monitor your zone to see when bind9 creates the CDS record (e.g. run "host -t cds" daily until something appears), upload the data in the CDS record to porkbun's website. They have a knowledge base article showing where to do that. Then tell bind9 that it's done with "rndc dnssec -checkds -key ID published" (where the ID is the first number in the CDS record data). Then check it with


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.