(http-01) DNS problem: SERVFAIL looking up A for breshears.us

Hello,

I just transferred my domain (breshears.us) to no-ip and have issues getting certificate issued.

If I use one of no-ip's default hostnames (such as breshears.ddns.me) I have no issues getting a certificate issued. However, I do have an issue when trying to get a certificate from my own domain.

If you try to visit 'breshears.us' it works, but it gives you a certificate error.

What am I doing wrong? The "A Record" appears to be fine. Is there another way to pass the challenge?

Thank you.

---------------------
ACTUAL ERROR
---------------------

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for breshears.us
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. breshears.us (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for breshears.us - the domain's nameservers may be malfunctioning
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: breshears.us
    Type: None
    Detail: DNS problem: SERVFAIL looking up A for breshears.us - the
    domain's nameservers may be malfunctioning
    Done. Press any key...

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

There's a DNSSEC problem with the nameservers for breshears.us.

https://dnsviz.net/d/breshears.us/dnssec/

3 Likes

Thank you! I appreciate that.

Can you elaborate more?

I have searched the internet for people who have had similar problems as I am now having, and I have seen several issues where DNSSEC was the problem. But I could not follow the solutions to resolve this.

Does this have anything to do with me transferring my domain from Namecheap to no-ip?

I really appreciate the help.

2 Likes

Do you recall enabling DNSSEC?
It seems after the last change the zone is no longer even signed.
[A quick fix might be to disable DNSSEC.]

1 Like

I do not recall ever hearing anything about DNSSEC....

I know that whenever I transferred my domain I had to enter an auth code. Does that have anything to do with it?

1 Like

No; That code is just to validate your transfer request authorization.

There should be a setting on your new registrars control page that can enable/disable DNSSEC.
If you can't find it, search their site, or call/email them that question: "How can I disable DNSSEC?"
image

1 Like

I have scoured noip's site and I cannot find anything close to DNSSEC....

I have sent them an e-mail, so hopefully tomorrow I can get a better understanding of what's going on.

Dumb question, disabling DNSSEC would help me get this certificate now, but in the long run, I probably would want it, right? I briefly read about it, and it seems like a feature you want.

Also, does this DNSSEC issue have anything to do with me transferring the domain today? If I wait a few days, will this issue resolve itself? Or will this issue stick around until I change something?

Thank you again.

2 Likes

In short, no.
[it wasn't enabled by the transfer]

No; you need (them) to take action to disable it.

Your DSP needs to support it.
It's not just an on/off click button.

1 Like

The transfer could be the reason of this DNSSEC error though. It could very well be that your previous DNS service provider has left the DS record in the .us zone and didn't delete it when your domain was transfered. As your new DNS provider doesn't have the DNSKEY record corresponding to this DS record in your domains zone, DNSSEC is broken.

At the moment your current DNS provider is the one capable of removing the DS record from the .us zone.

3 Likes

Okay, so I just called noip and spoke to a rep.

They informed me that they do not support DNSSEC at all. He also said the issue could be because my domain is still propagating due to the transfer, so that could be causing the issue.

But he wasn't sure, so he's making a support ticket for someone else to look into. (I did ask them to disable DNSSEC, but because they don't support it, he was unsure, hence, why he made another ticket.)

2 Likes

Well that eliminates the turning DNSSEC on.

Meaningless ramble from someone who clearly doesn't know anything about DNSSEC.
The entire contents of the zone are always transferred.
The new registrar can remove any/all records that you can't remove yourself.
As they don't even support DNSSEC, there is no way for you to address those records through their panel. Waiting for some miracle to fix this is just a waste of time.
Call back and speak to someone with a clue or a title high enough to find someone with a clue.

Sorry I may have spoke to soon (no sense in erasing what has already been said - LOL).
:crossed_fingers: You will be properly helped soon.

3 Likes

Okay, so I am getting closer to getting this issue solved. -- I received word back from the new registrar, and they confirmed that the issue is being caused by DNSSEC, and they said that they did remove the DS record. (Removed about 45 minutes ago) However, I'm still getting the same error when attempting to generate a certificate.

Do I just need to hang tight and let it work through the system, or are their efforts not getting rid of DNSSEC?

Hello Chris,
Just an update for you, I have confirmed with the devs here that it is the DNSSEC record that's causing issues for your domain. I put in a request to have them remove it from your zone. I will update you once they've processed the request. Thank you for you patience!
Regards,
Christian A
No-IP Support

Hello Chris,
I'm glad to report that the DS record has been removed from your zone on your domain. Let me know if you run into any other issues.
Regards,
Christian A
No-IP Support

Thank ya'll again. Very grateful for your insight.

2 Likes

And thus we have come full circle, my friend. :slightly_smiling_face:

Not quite there yet, but click here then push the Analyze button to get a pulse.

2 Likes

Sadly, that can take up to 24 hours to sync.
[not likely - but it can]

2 Likes

The information on this site has changed some since yesterday. Everything on the bottom portion is different.

So work is being done, but hasn't resolved the issue yet.

1 Like

I hope that's the case!!

2 Likes

Rest assured though, the culprit has been thoroughly identified. Whether there are others down the road has yet to be determined.

2 Likes

Don't stress over it.
Check it in:
30 mins, 1 hour, 2 hours, 4 hours, 8 hours, 16 hours, ...
Eventually it will be removed.

2 Likes

I hope they mean "has been removed from the .us zone" as that's the actual issue. Your own zone didn't contain a DS record, so if they deleted anything, it's probably from the .us zone indeed.

That said, it doesn't show yet, so probably wait longer.. I'm sure those root nameservers for complete TLD don't rebuild their zone every minute, but probably on (very) long(er) intervals.

2 Likes

Slightly off-topic while I wait for the DNSSEC to (hopefully) be removed.

Why has it taken so long for this to propagate to other name servers?

If I type in breshears.us without a VPN, it loads. But if I have my VPN enabled, I get a 404 page cannot display error.

1 Like