Got SERVFAIL when caa check

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: b.spwei.xyz

I ran this command: acme.sh --issue --dns dns_ali -d b.spwei.xyz --debug

It produced this output:
[Wed 22 Jul 2020 04:27:36 PM CST] ok, let’s start to verify
[Wed 22 Jul 2020 04:27:36 PM CST] Verifying: b.spwei.xyz
[Wed 22 Jul 2020 04:27:36 PM CST] d=‘b.spwei.xyz’
[Wed 22 Jul 2020 04:27:36 PM CST] keyauthorization=‘sf2-V8HMZ6e-46XRDxeZuVmZLP7OCb8_MKuVwvUMZBQ.CfYmrGbnFqYfSEkNJ69YCFaX-86JjpdQF5qBIsZCUZo’
[Wed 22 Jul 2020 04:27:36 PM CST] uri=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/6036967984/mGJmEg
[Wed 22 Jul 2020 04:27:36 PM CST] _currentRoot=‘dns_ali’
[Wed 22 Jul 2020 04:27:36 PM CST] url=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/6036967984/mGJmEg
[Wed 22 Jul 2020 04:27:36 PM CST] payload=’{}’
[Wed 22 Jul 2020 04:27:37 PM CST] POST
[Wed 22 Jul 2020 04:27:37 PM CST] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/6036967984/mGJmEg
[Wed 22 Jul 2020 04:27:37 PM CST] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Wed 22 Jul 2020 04:27:39 PM CST] _ret=‘0’
[Wed 22 Jul 2020 04:27:39 PM CST] code=‘200’
[Wed 22 Jul 2020 04:27:39 PM CST] trigger validation code: 200
[Wed 22 Jul 2020 04:27:39 PM CST] sleep 2 secs to verify
[Wed 22 Jul 2020 04:27:41 PM CST] checking
[Wed 22 Jul 2020 04:27:41 PM CST] url=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/6036967984/mGJmEg
[Wed 22 Jul 2020 04:27:41 PM CST] payload
[Wed 22 Jul 2020 04:27:41 PM CST] POST
[Wed 22 Jul 2020 04:27:41 PM CST] _post_url=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/6036967984/mGJmEg
[Wed 22 Jul 2020 04:27:41 PM CST] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Wed 22 Jul 2020 04:27:45 PM CST] _ret=‘0’
[Wed 22 Jul 2020 04:27:45 PM CST] code=‘200’
[Wed 22 Jul 2020 04:27:45 PM CST] b.spwei.xyz:Verify error:DNS problem: SERVFAIL looking up CAA for b.spwei.xyz - the domain’s nameservers may be malfunctioning

My web server is (include version):
No

The operating system my web server runs on is (include version):
Debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @spwei

that’s curious. Checked with my local unbound - no problem. Checked with Unboundtest - https://unboundtest.com/m/CAA/b.spwei.xyz/PWEMVYEU - Servfail:

Jul 22 08:48:11 unbound[13492:0] info: validated DNSKEY spwei.xyz. DNSKEY IN
Jul 22 08:48:11 unbound[13492:0] info: Validate: message contains bad rrsets
Jul 22 08:48:11 unbound[13492:0] info: 127.0.0.1 b.spwei.xyz. CAA IN SERVFAIL 8.864881 0 29

Checked via https://check-your-website.server-daten.de/?q=b.spwei.xyz - you see: One ipv6 is buggy:

But only a timeout by some EDNS-checks.

Running my local Unbound with the -6 flag:

Host b.spwei.xyz. not found: 2(SERVFAIL). (error)

So that ipv6 name server doesn’t work. Letsencrypt prefers ipv6 - and can’t find enough informations.

PS: Ask your name server provider.

1 Like

Thanks. i will check it with name server provider.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.