Not able to issue cert : DNS problem: SERVFAIL

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blog.lublu.nl

I ran this command: Let's Encrypt Plugin via cPanel.

It produced this output:

Error issuing certificate
Failed to issue certificate
Updating challenge for blog.lublu.nl: acme: error code 400 "urn:ietf:params:acme:error:dns": DNS problem: SERVFAIL looking up CAA for blog.lublu.nl - the domain's nameservers may be malfunctioning (order URL: https://acme-v02.api.letsencrypt.org/acme/order/28951149/18365953900)

My web server is (include version): Litespeed 5.4.9 (build 1 )

The operating system my web server runs on is (include version): CloudLinux release 7.9

My hosting provider, if applicable, is: Aspiration Hosting

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, Using cPanel 96.0.15

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using Let's Encrypt Plugin

1 Like

Yes, you have a DNS problem.
See: Let's Debug (letsdebug.net)

3 Likes

Hello,

Thank you for looking into it. It seems the domain is not added with any AAAA or CAAA records and the A record seems to be resolving just fine from the hosting server.

Is there anything else that needs to be added ?

Thanks,
Steve

2 Likes

You don't need any A/AAAA records to obtain a cert via DNS-01 challenge.
That said, all FQDNs must first pass CAA checks.
It seems there is some issue with the authoritative DNS servers and their response to the existence (or lack there) of any CAA records in your zone.

3 Likes

Unfortunately, if you use that site to check for the CAA record, it fails MANY times:

Some of the red crosses are "NOERROR" answers (which is fine), but many are "SERVFAIL", which is BAD. I'm not sure why that happens though, and why it returns different answers.

Usually, SERVFAIL errors are due to incorrect DNSSEC, but I can't find anything like that on blog.lublu.nl | DNSViz

4 Likes

I see only red:


They can't all be wrong.

3 Likes

You can click on the separate locations and see the raw return data.

4 Likes

Hello @Osiris and @rg305,

Thank you so much for your time. Yes, As mentioned above normally it's related to DNSSEC but not able to find any issues. Should we check with DNS registrar to see if they can help ?

Thanks
Steve

2 Likes

Yes, @SteveV they need to be alerted to this situation (by any and all of their customers experiencing this problem).

3 Likes

Does your DNS Service Provider (DSP) support CAA records?
[Wherever you can create new records in your zone, do you see an option for "new CAA record"?]
I'm thinking that if they do (highly likely), you could just add an entry to replicate the current outcome and have it allow any CA to issue certs for your domain.
Like:
0 issue "*"
OR
0 iodef "mailto:your@email"
Just to see if having an entry as opposed to the current "empty" entry makes any difference in this case.
If so, then we need to better understand exactly which DNS system (and version) they are using; as this may very well be a bug in their DNS system.

Or, seeing as all the certs that have ever been issued for your domain have come from LE (thanks for that), you could also take this opportunity to lockdown your domain CAA record to the CA that you would expect to be allowed to issue certs for your domain ("LE") and put that entry to some real work!
Like:
0 issue "letsencrypt.org"
0 iodef "mailto:your@email"

Again, my interest here is trying to understand where the DNS problem exists and what might be a simple workaround to overcome it.
Unfortunately, even within the few domains that I haven't ever added any CAA records to, none of them are showing this problem. So, I think it is likely a problem within the DNS software the DSP is using.

3 Likes

Hello @rg305 ,

Thank you for the detailed reply.

Let me check.

Regards,
Steve

2 Likes

I see you obtained a LE cert this morning for your blog site, but you are not forcing a redirect from http to https. That should be added to your configuration.
according to https://www.whynopadlock.com/results/4c6bf9cd‑3266‑4d4f‑8813‑45ec541abe80.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.