[HTTP Challenge]SERVFAIL looking up CAA - supsolit.nl

Help
1

I am trying to give my intern Home Assistant setup an LE certificate. Hence the hass.AD.supsolit.nl. This is by design since it is internal.

I have created a hass.ad A Record in my domain DNS.
I also have got a CAA record: 0 issue "letsencrypt.org"
Also forwarded port 80.

Home Assistant LE setup:

email: EMAILADDRESS@supsolit.nl
domains:

  • hass.ad.supsolit.nl
    certfile: fullchain.pem
    keyfile: privkey.pem
    challenge: http

Any ideas why this is not working? See below for the error:

[22:39:38] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hass.ad.supsolit.nl
Waiting for verification...
Challenge failed for domain hass.ad.supsolit.nl
http-01 challenge for hass.ad.supsolit.nl
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: hass.ad.supsolit.nl
    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for
    hass.ad.supsolit.nl - the domain's nameservers may be
    malfunctioning
    [cont-finish.d] executing container finish scripts...
    [cont-finish.d] done.
    [s6-finish] waiting for services.
    [s6-finish] sending all processes the TERM signal.
2

It basically means just what it says. When trying to read the CAA record for hass.ad.supsolit.nl, one gets a SERVFAIL. Let's Encrypt needs to get that more-specific record for CAA before checking the less-specific records, just in case it has its own specific CAA record. Your nameservers are misconfigured. You need to work with your DNS provider to fix the issue. I think one of the main issues is that queries for ad.supsolit.nl return NXDOMAIN (and DNSSEC confirms it), which means that it shouldn't have any subdomains. Whereas if it has subdomains, it should return something else (NOERROR probably?) to indicate that subdomains are allowed to exist. But maybe somebody more familiar with DNS & DNSSEC than I am will need to weigh in if your DNS provider can't fix the issue easily.

https://dns.google/query?name=hass.ad.supsolit.nl&rr_type=CAA&ecs=

https://dnsviz.net/d/hass.ad.supsolit.nl/dnssec/

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.