I’m running many sites on our servers. I recently got an email about the end-of-life of TLS-SNI-01 validation. Therefore I’m updating certbot clients from all of our servers. After updating, I made a new certificate with ./certbot-auto --apache and it seemed to issue and work nicely.
But when I run ./cerbot-auto renew --dry-run I get different kind of errors:
“DNS problem: SERVFAIL looking up CAA…”
“DNS problem: SERVFAIL looking up A…”
“No valid IP addresses found…”
And this is not just for one domain. Happens with different servers, different domains, different IP-addresses. I use saul.fi domain here as an example. Sometimes the dry-run even goes through. Seems that the checks work sometimes, and sometimes don’t. Even with Let’s Debug I get different kind of errors on each run:
Unfortunately this doesn’t tell me much. Is there anything I can do, or is this a problem with my DNS provider? If it is, should I contact them and ask for what?
Looks like a variant of the additional record ordering.
First:
parse of NS(2) IN(1) saul.fi.
parse of NS(2) IN(1) saul.fi.
parse of NSEC3(50) IN(1) rokbtsmlfioipkff1psd35p98eofm0v6.fi.
parse of RRSIG(46) [NSEC3(50)] IN(1) rokbtsmlfioipkff1psd35p98eofm0v6.fi.
parse of NSEC3(50) IN(1) g3d9n9gg4vuto3numgsk0li82v37pj9a.fi.
parse of RRSIG(46) [NSEC3(50)] IN(1) g3d9n9gg4vuto3numgsk0li82v37pj9a.fi.
parse of A(1) IN(1) ns.nebula.fi.
parse of AAAA(28) IN(1) ns.nebula.fi.
parse of A(1) IN(1) ns2.nebula.fi.
parse of AAAA(28) IN(1) ns2.nebula.fi.
parse of OPT(41) ??(4096) .
Second:
parse of NS(2) IN(1) saul.fi.
parse of NS(2) IN(1) saul.fi.
parse of NSEC3(50) IN(1) rokbtsmlfioipkff1psd35p98eofm0v6.fi.
parse of RRSIG(46) [NSEC3(50)] IN(1) rokbtsmlfioipkff1psd35p98eofm0v6.fi.
parse of NSEC3(50) IN(1) g3d9n9gg4vuto3numgsk0li82v37pj9a.fi.
parse of RRSIG(46) [NSEC3(50)] IN(1) g3d9n9gg4vuto3numgsk0li82v37pj9a.fi.
parse of AAAA(28) IN(1) ns.nebula.fi.
parse of AAAA(28) IN(1) ns2.nebula.fi.
parse of A(1) IN(1) ns.nebula.fi.
parse of A(1) IN(1) ns2.nebula.fi.
parse of OPT(41) ??(4096) .
ns/ns/ns2/ns2 vs ns/ns2/ns/ns2.
I believe not, except try again repeatedly and pray the bad nameserver isn't involved.
I think that this requires either fi to fix e.fi nameserver, or for Let's Encrypt to patch their Unbound instance (but there is no numbered release with the fix published yet).