Getting servfail when renewing, or adding domains


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*.roedding-karate.dk
*.ttsh.dk
*.thetroubleshooters.dk
*.vejen-karate.dk

(* is named servers, eg gallery, galleri, and the like, havn’t activated wildcards yet").

I ran this command:

certbot -c “certbot renew”

It produced this output:

Attempting to renew cert (ttsh.dk) from /etc/letsencrypt/renewal/ttsh.dk.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA: While processing CAA for roedding-karate.dk: DNS problem: SERVFAIL looking up CAA for roedding-karate.dk, While processing CAA for politi.thetroubleshooters.dk: DNS problem: SERVFAIL looking up CAA for politi.thetroubleshooters.dk, While processing CAA for mrtg.thetroubleshooters.dk: DNS problem: SERVFAIL looking up CAA for mrtg.thetroubleshooters.dk, While processing CAA for karate.thetroubleshooters.dk: DNS problem: SERVFAIL looking up CAA for thetroubleshooters.dk. Skipping.

My web server is (include version):

Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:09

The operating system my web server runs on is (include version):

CentOS 7

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


Widespread SERVFAIL problem related to DNS 0x20
Occasional SERVFAIL looking up CAA for be
#2

At least in this case, because the nameservers for this domain do not implement 0x20 mixed case, Let’s Encrypt’s resolver goes into “capsforid fallback mode”, observes that your nameservers respond differently to the same query, and fail the entire lookup.

https://unboundtest.com/m/CAA/roedding-karate.dk/CJGU2XRN

Dec 21 21:00:23 unbound[22811:0] info: Capsforid fallback: getting different replies, failed

More verbosely:

[1545426637] libunbound[8811:0] info: flags 33792 vs 33792
[1545426637] libunbound[8811:0] info: qdcount 1 vs 1
[1545426637] libunbound[8811:0] info: security 0 vs 0
[1545426637] libunbound[8811:0] info: an_numrrsets 0 vs 0
[1545426637] libunbound[8811:0] info: ns_numrrsets 2 vs 3
[1545426637] libunbound[8811:0] info: rrset_count 2 vs 3
[1545426637] libunbound[8811:0] info: Capsforid fallback: getting different replies, failed

Compare two responses from your nameservers:

Normal Authority section in response
;; AUTHORITY SECTION:
roedding-karate.dk.     0       IN      SOA     ns1.gratisdns.dk. hostmaster.gratisdns.dk. 2018121201 10800 3600 2419000 43200
roedding-karate.dk.     43200   IN      RRSIG   SOA 8 2 43200 20190111084609 20181212084609 24384 roedding-karate.dk. cghWoIjsr9XxUlzm0d9aky8nudP24wp5qDkKSNh20m9523kb+P3Pq6mdc5oLDn+/RLpS3Aa0id5PM43FwThwltidh1cmfUA+dwdd2yheo8ze24q9Hvc7/NPzrxwlWjw6wLiJN6nmas94FuYheRcaAsw/BYtbyh355xB0BIOMiqCJLCumqlVIpxogmxUEXkZRgEXS0uW7mva9bA16BYd5tOUUV4KtJ6QR+bzEdUcpWz9YkP83mEIgJuQ2cPmWMjy0dqNhKUPN0OGkzaC32Xhv0kSCdHqoq8nWvtgYBYTNHdMymEX8xAfawpploVdj9VpeFyuM1nxadZqST3ezjZwYuw== ;{id = 24384}
roedding-karate.dk.     43200   IN      NSEC    *.roedding-karate.dk. A NS SOA MX TXT RRSIG NSEC DNSKEY
roedding-karate.dk.     43200   IN      RRSIG   NSEC 8 2 43200 20190111084609 20181212084609 24384 roedding-karate.dk. hDegwFHruCWdkhoo+KIHrIiU2kxfosUarhb6j0L8uUVtDUWGpN52VZYBLUUTXH94qH/S1y/PnkfYguFg/b6JIXVhrSaDQMbjSHE8NKZeCkNxgeYd8lp3qQgkxjEYXxkjcydDYMAlO9nQ3a0UEjsf13i0YgAxL5qeosl0uGhEz0gSLzhOj8CyHRVIsqgJjcSbiMukiIi/+ydvSTAGFwzkL/7C5HOcYGjyJmRZNbDXibY597oml7ln927ealy8XaMHLtfw2l418LYeRWKh3bclMCnDi3ORDiJZTNaxEdlEXdmg2jrIC5iG65XGxSyTrsLPUm3mYKKcF7PBljEOxMZxgw== ;{id = 24384}

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 752
The response with the Authority section causing the SERVFAIL
;; AUTHORITY SECTION:
roedding-karate.dk.     0       IN      SOA     ns1.gratisdns.dk. hostmaster.gratisdns.dk. 2018121201 10800 3600 2419000 43200
roedding-karate.dk.     43200   IN      RRSIG   SOA 8 2 43200 20190111084609 20181212084609 24384 roedding-karate.dk. cghWoIjsr9XxUlzm0d9aky8nudP24wp5qDkKSNh20m9523kb+P3Pq6mdc5oLDn+/RLpS3Aa0id5PM43FwThwltidh1cmfUA+dwdd2yheo8ze24q9Hvc7/NPzrxwlWjw6wLiJN6nmas94FuYheRcaAsw/BYtbyh355xB0BIOMiqCJLCumqlVIpxogmxUEXkZRgEXS0uW7mva9bA16BYd5tOUUV4KtJ6QR+bzEdUcpWz9YkP83mEIgJuQ2cPmWMjy0dqNhKUPN0OGkzaC32Xhv0kSCdHqoq8nWvtgYBYTNHdMymEX8xAfawpploVdj9VpeFyuM1nxadZqST3ezjZwYuw== ;{id = 24384}
roedding-karate.dk.     43200   IN      NSEC    *.roedding-karate.dk. A NS SOA MX TXT RRSIG NSEC DNSKEY
roedding-karate.dk.     43200   IN      RRSIG   NSEC 8 2 43200 20190111084609 20181212084609 24384 roedding-karate.dk. hDegwFHruCWdkhoo+KIHrIiU2kxfosUarhb6j0L8uUVtDUWGpN52VZYBLUUTXH94qH/S1y/PnkfYguFg/b6JIXVhrSaDQMbjSHE8NKZeCkNxgeYd8lp3qQgkxjEYXxkjcydDYMAlO9nQ3a0UEjsf13i0YgAxL5qeosl0uGhEz0gSLzhOj8CyHRVIsqgJjcSbiMukiIi/+ydvSTAGFwzkL/7C5HOcYGjyJmRZNbDXibY597oml7ln927ealy8XaMHLtfw2l418LYeRWKh3bclMCnDi3ORDiJZTNaxEdlEXdmg2jrIC5iG65XGxSyTrsLPUm3mYKKcF7PBljEOxMZxgw== ;{id = 24384}
roedding-karate.dk.     43200   CLASS65441      NSEC    localhost.roedding-karate.dk. CNAME RRSIG NSEC
roedding-karate.dk.     43200   CLASS65441      RRSIG   NSEC 8 2 43200 20190111084609 20181212084609 24384 roedding-karate.dk. AuOxgbUdDrvwnVIRraDGboPUSjDh3jtdXGriYefiIHskxqnMQm39kH6nq7aQacKG6UKNU28+iQTwP2kVb6fLe32eDZ6yspMDhNx4mzl1FO8++lBVtlWVJ35v8TqweQfZWO4rtCvhwwIasOvn0kvWqd8TH5X99cbGGsLp30wbB6h5yB32FegTkF5gUX6XlasOHUZ7FSOkyd0z5x+jKMUjsdxOcWSBNbkqklKPSg4m5Rc2k5f3tlhsDmQS0CiWtdx67vhvhgDlHw11MPkwCsBXce3GVL8MenJDvhBPk2NzhBxBl/P+1H8YXdvk/Lxdo+frqv1xNEPXXCBxg9E5uaZSwg== ;{id = 24384}

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 1108

Those two CLASS65441 RRs seem to be triggering the failure, when they’re present.

And this can be reproduced:

Good (only produces 4 RRs, like the majority of the nameservers):

dig +dnssec @2a02:9d0:3002:1::2 roeddIng-kArate.dk caa

Bad (produces 6, which causes the caps-for-id failure):

dig +dnssec @2001:678:5::6 roeddIng-kArate.dk caa

It appears only to be ns3.gratisdns.dk that seems to have this problem. You can try just pulling this NS record at your domain registrar, and seeing if that helps.


#3

Any other way to fix this problem, I am not able to contact my DNS provider (they’re not responding) atm and the domain registra doesn’t allow me to remove one name server, as they collect the set from the primary DNS…


#4

Well, you can just keep retrying. There’s only a partial chance that it’ll fail on every attempt.

(Edit: actually, looks like you managed to “fix” it by adding an CAA record? So the bad authority section is no longer sent. But querying for any other non-existent record will still produce the issue, e.g. AAAA).


#5

FYI, I haven’t tried your other domains, but roedding-karate.dk is impossible to scan with the popular DNS(SEC) debugging tool DNSViz. It produces a 500 Internal Server Error.

I filed this bug (possibly in the wrong repository):


#6

Yes the renewal seemed to work after adding the CAA record… Hopefully that will keep things running :-).

Thank you for your help.


#7

Your DNS service still really needs to be fixed, and it may affect you in other ways.

The fact that my DNSViz bug was a duplicate of one filed November 6 (and fixed but not deployed) means you might want to switch DNS providers.


#8

Hi @shadowenthegrey

checked your DNSSEC directly, this is incomplete:

Your parent zone doesn’t send a DS record.

Querying something like

Domain roedding-karate.dk Query DS nameserver a.nic.dk

there should be a DS RR as answer, But there is a SOA-record and a RRSIG to this SOA. And two RRSIG Type 50. May be the proof that such a DS doesn’t exist.

But your domain has 2 DNSKEY - RR. These two are valide.

So your DNSSEC configuration is incomplete. Add a DS in the parent zone or remove the DNSKEY - RRset in your own zone.


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.