My domain name cannot apply for Let's Encrypt SSL certificate on any platform

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:b.lingxh.com

I ran this command:Install Let’s Encrypt via BT Panel

It produced this output:During secondary validation: DNS problem: SERVFAIL looking up A for b.lingxh.com - the domain’s nameservers may be malfunctioning

My web server is (include version):Nginx1.18.0

The operating system my web server runs on is (include version):Centos8.1.1911

My hosting provider, if applicable, is:Azure

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):BT panel7.2.0(bt.cn

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):Panel integration, unclear

1 Like

I believe the problem is a mixture of two issues:

To begin with, your nameservers do not support “0x20” (reflecting mixed-case query names in responses). More info here.

This is not usually a fatal problem, but it does mean that Let’s Encrypt’s DNS recursive resolver goes into a “0x20 fallback” mode, where it compares the response from every nameserver, to make sure that no spoofing is going on.

That brings us to the second issue: when Let’s Encrypt’s resolver is performing the fallback queries, it is hitting an internal maximum number of queries it is willing to perform in order to complete the fallback, and this results in the target domain not being successfully resolved.

I think the reason it is hitting that limit is that you effectively have 9 (or 16 according to glue records) nameservers (ns1.hwclouds-dns.com and ns1.hwclouds-dns.net each advertise multiple IPv4 addresses and an IPv6 address).

For context, here is a snippet from a similarly configured resolver:

[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.com. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request lingxh.com. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.com. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request ns1.hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100791] libunbound[27661:0] debug: request hwclouds-dns.net. has exceeded the maximum number of glue fetches 66
[1592100792] libunbound[27661:0] debug: request hwclouds-dns.com. has exceeded the maximum number of glue fetches 66
[1592100796] libunbound[27661:0] debug: request b.lingxh.com. has exceeded the maximum number of glue fetches 17 to a single delegation point

To resolve it, I think you should just find some nameservers that do support 0x20 mixed case. While the behavior of Let’s Encrypt’s resolvers in this case appears to be pretty crappy, I don’t think there’s going to be any other resolution.

2 Likes

Adding some context based on @_az’s answer.
Huawei updated their NS servers and changed default NS records for new domains added to their platform (I guess they also changed yours).

For some reason, they decided to use new domains instead of updating their existing servers, so you should update your domain’s NS record to ns1.huaweicloud-dns.com、ns1.huaweicloud-dns.cn ns1.huaweicloud-dns.net、ns1.huaweicloud-dns.org. I guess old NS won’t accept new features so you might be able to solve this issue by changing nameservers.

Source: https://support.huaweicloud.com/dns_faq/dns_faq_012.html

Hi @stevenzhu

these name servers

have the same problem. There are some checks with some domains, see https://check-your-website.server-daten.de/?q=sought.tech

With a lot of

X Fatal error: Nameserver doesn’t support echo capitalization. That’s critical if you want to create Letsencrypt certificates. Read https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 (2008). If a dns client asks “ExAmPlE.cOm”, the name server must answer with the same name, not with “example.com”. Creating Letsencrypt certificates isn’t possible. Your name server provider must update the software.: ns1.huaweicloud-dns.com / 139.159.208.43

So the problem isn’t really fixed.

Same if you test one of these domains with Unboundtest - https://unboundtest.com/m/A/sought.tech/6IGOVNEP

Jun 14 07:44:27 unbound[19003:0] info: wrong 0x20-ID in reply qname

Error running query: read udp 127.0.0.1:35640->127.0.0.1:1053: i/o timeout

2 Likes