Renew Cert with Standonly+DNSSEC but what is the error?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: itmastro.de mail.itmastro.de

I ran this command:
certbot renew --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” --renew-hook “systemctl reload spache2; systemctl reload dovecot; systemctl reload postfix”

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/itmastro.de.conf

Cert is due for renewal, auto-renewing…
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for itmastro.de
tls-sni-01 challenge for mail.itmastro.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/itmastro.de.conf produced an unexpected error: Failed authorization procedure. itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up A for itmastro.de, mail.itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up A for mail.itmastro.de. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itmastro.de/fullchain.pem (failure)
Running post-hook command: systemctl start apache2
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: vcserver.de

I can login to a root shell on my machine (yes or no, or I don’t know): yes own v-server

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, clean Debian 9 with Apache, Postfix, MariaDB and certbot

I have activated DNSSEC, but it seems right ti function.

Sorry for my bad englisch.


#2

Hi @hydrat,

I can’t reproduce the SERVFAIL errors right now but just in case, you have defined two DS records for your domain.

itmastro.de.            86400   IN      DS      36089 7 2 84A15BC5B2CBE96213EC999D42F6CA5E53C8215569E3A956CE5E7A8D 0B774D72
itmastro.de.            86400   IN      DS      58609 8 2 1DBD948FEE51902C13BB3917C743C531AEBD47BA4F63ADEDAE58D476 F459423D

One DS records using algorithm 7 and the other one using algorithm 8 but you don’t have a DNSKEY defined for alg 7 so you are not signing your records with alg 7, only alg 8.

I would remove the DS record covering alg 7 at your registrar and leave only the DS record for alg 8 as it seems to work fine.

Regarding the command you issued:

--renew-hook “systemctl reload spache2; systemctl reload dovecot; systemctl reload postfix”

I don’t know whether this is a typo or not but you wrote spache2 instead of apache2. Also, putting the reload on the renew hook will give an error because apache is stopped.

Good luck.
sahsanu


#3

Thank you for the hint.

I think, i have removed the DS-7-Entry as DNS-System from the Webhoster.
I check certbot --renew tomorro again, (TTL = 1 Day)


#4

The DS TTL for that domain is only actually 1 hour. And, even better, Let’s Encrypt doesn’t really cache DNS, so you can try again now. :slightly_smiling_face:

Edit: You were right, the TTL was 1 day. I made a mistake. But it’s true that Let’s Encrypt doesn’t cache.


#5

Okay. The Server 8.8.8.8 has the new Entry.
But now I become the Error SERVFAIL looking up CAA fpr itmastro.de

Here my Code:
root@itmastro:/# certbot renew --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” --renew-hook “systemctl reload apache2; systemctl reload dovecot; systemctl reload postfix”
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/itmastro.de.conf

Cert is due for renewal, auto-renewing…
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for itmastro.de
tls-sni-01 challenge for mail.itmastro.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/itmastro.de.conf produced an unexpected error: Failed authorization procedure. itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for itmastro.de, mail.itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for itmastro.de. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itmastro.de/fullchain.pem (failure)
Running post-hook command: systemctl start apache2
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#6

I have added DNS-Entry:
itmastro.de. CAA 0 issue “letsencrypt.org

Now it works. Thank you for your help.


#7

Adding a CAA record avoids whatever is happening with negative responses, but it doesn’t fix it.

For example, itmastro.de. still doesn’t have any AAAA records, and the response still fails to validate, just like with CAA before.

I don’t know what’s wrong. Unbound says:

debug: verify: signature mismatch
info: validator: response has failed AUTHORITY rrset: itmastro.de. NSEC IN
info: Validate: message contains bad rrsets

Whatever it is, there’s a wider issue you need to fix.


#8

An AAAA-Record is only used for IPv6.

unboundtest.com Results okay für CAA and A.

I do not use IPv6. Why should I have IPv6, if i do not need it?


#9

A DNS server should always respond in a valid manner.

And clients will make AAAA queries – that’s how they find out if the service supports IPv6, after all. It’s inefficient at best, and will slow connections down at worst, to waste time with invalid responses.

There may also be other things affected that you care about more.

Edit: I’m not saying you should have AAAA records – or CAA records, for that matter. I’m saying the DNS server is buggy.


#10

I can insert AAAA records, but why you think the DNS Server is buggy. The unbound-query fails only at AAAA, and AAAA i havn’t defined.


#11

Queries for records that don’t exist aren’t supposed to fail. They’re supposed to return a valid “this doesn’t exist” response.