Renew Cert with Standonly+DNSSEC but what is the error?

hydrat · April 16, 2018, 9:14am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: itmastro.de mail.itmastro.de

I ran this command:
certbot renew --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” --renew-hook “systemctl reload spache2; systemctl reload dovecot; systemctl reload postfix”

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/itmastro.de.conf

Cert is due for renewal, auto-renewing…
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for itmastro.de
tls-sni-01 challenge for mail.itmastro.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/itmastro.de.conf produced an unexpected error: Failed authorization procedure. itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up A for itmastro.de, mail.itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up A for mail.itmastro.de. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itmastro.de/fullchain.pem (failure)
Running post-hook command: systemctl start apache2
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: itmastro.de
Type: None
Detail: DNS problem: SERVFAIL looking up A for itmastro.de

Domain: mail.itmastro.de
Type: None
Detail: DNS problem: SERVFAIL looking up A for mail.itmastro.de

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: vcserver.de

I can login to a root shell on my machine (yes or no, or I don’t know): yes own v-server

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No, clean Debian 9 with Apache, Postfix, MariaDB and certbot

I have activated DNSSEC, but it seems right ti function.

Sorry for my bad englisch.

sahsanu · April 16, 2018, 10:02am

Hi @hydrat,

I can’t reproduce the SERVFAIL errors right now but just in case, you have defined two DS records for your domain.

itmastro.de.            86400   IN      DS      36089 7 2 84A15BC5B2CBE96213EC999D42F6CA5E53C8215569E3A956CE5E7A8D 0B774D72
itmastro.de.            86400   IN      DS      58609 8 2 1DBD948FEE51902C13BB3917C743C531AEBD47BA4F63ADEDAE58D476 F459423D

One DS records using algorithm 7 and the other one using algorithm 8 but you don’t have a DNSKEY defined for alg 7 so you are not signing your records with alg 7, only alg 8.

I would remove the DS record covering alg 7 at your registrar and leave only the DS record for alg 8 as it seems to work fine.

Regarding the command you issued:

--renew-hook “systemctl reload spache2; systemctl reload dovecot; systemctl reload postfix”

I don’t know whether this is a typo or not but you wrote spache2 instead of apache2. Also, putting the reload on the renew hook will give an error because apache is stopped.

Good luck.
sahsanu

hydrat · April 16, 2018, 11:10am

Thank you for the hint.

I think, i have removed the DS-7-Entry as DNS-System from the Webhoster.
I check certbot --renew tomorro again, (TTL = 1 Day)

mnordhoff · April 16, 2018, 11:13am

The DS TTL for that domain is only actually 1 hour. And, even better, Let's Encrypt doesn't really cache DNS, so you can try again now.

Edit: You were right, the TTL was 1 day. I made a mistake. But it's true that Let's Encrypt doesn't cache.

hydrat · April 16, 2018, 11:39am

Okay. The Server 8.8.8.8 has the new Entry.
But now I become the Error SERVFAIL looking up CAA fpr itmastro.de

Here my Code:
root@itmastro:/# certbot renew --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2” --renew-hook “systemctl reload apache2; systemctl reload dovecot; systemctl reload postfix”
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/itmastro.de.conf

Cert is due for renewal, auto-renewing…
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for itmastro.de
tls-sni-01 challenge for mail.itmastro.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/itmastro.de.conf produced an unexpected error: Failed authorization procedure. itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for itmastro.de, mail.itmastro.de (tls-sni-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for itmastro.de. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/itmastro.de/fullchain.pem (failure)
Running post-hook command: systemctl start apache2
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: itmastro.de
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for itmastro.de

Domain: mail.itmastro.de
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for itmastro.de

hydrat · April 16, 2018, 11:52am

I have added DNS-Entry:
itmastro.de. CAA 0 issue “letsencrypt.org”

Now it works. Thank you for your help.

mnordhoff · April 16, 2018, 11:58am

Adding a CAA record avoids whatever is happening with negative responses, but it doesn’t fix it.

For example, itmastro.de. still doesn’t have any AAAA records, and the response still fails to validate, just like with CAA before.

I don’t know what’s wrong. Unbound says:

debug: verify: signature mismatch
info: validator: response has failed AUTHORITY rrset: itmastro.de. NSEC IN
info: Validate: message contains bad rrsets

Whatever it is, there’s a wider issue you need to fix.

hydrat · April 16, 2018, 12:09pm

An AAAA-Record is only used for IPv6.

unboundtest.com Results okay für CAA and A.

I do not use IPv6. Why should I have IPv6, if i do not need it?

mnordhoff · April 16, 2018, 12:14pm

A DNS server should always respond in a valid manner.

And clients will make AAAA queries – that’s how they find out if the service supports IPv6, after all. It’s inefficient at best, and will slow connections down at worst, to waste time with invalid responses.

There may also be other things affected that you care about more.

Edit: I’m not saying you should have AAAA records – or CAA records, for that matter. I’m saying the DNS server is buggy.

hydrat · April 16, 2018, 12:27pm

I can insert AAAA records, but why you think the DNS Server is buggy. The unbound-query fails only at AAAA, and AAAA i havn't defined.

mnordhoff · April 16, 2018, 12:42pm

Queries for records that don't exist aren't supposed to fail. They're supposed to return a valid "this doesn't exist" response.

system · May 16, 2018, 12:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auto renew is failing Help	11	2129	March 20, 2020
Unable to renew after enabling dnssec Help	11	4865	May 3, 2020
Renew failed: SERVFAIL looking up CAA Help	4	1317	April 26, 2018
Getting servfail when renewing, or adding domains Help	8	1740	January 26, 2019
Renew certificate failed - DNS problem: SERVFAIL looking up CAA Help	3	1563	December 3, 2017

Renew Cert with Standonly+DNSSEC but what is the error?

Processing /etc/letsencrypt/renewal/itmastro.de.conf

Processing /etc/letsencrypt/renewal/itmastro.de.conf

Related topics