SERVFAIL looking up A/CAA/AAAA with duckdns

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

pojagi.org

I ran this command:

certbot --nginx

It produced this output:

Requesting a certificate for gitlab.pojagi.org and 2 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.pojagi.org
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up CAA for www.pojagi.org - the domain's nameservers may be malfunctioning

  Domain: gitlab.pojagi.org
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for gitlab.pojagi.org - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for gitlab.pojagi.org - the domain's nameservers may be malfunctioning

  Domain: mealie.pojagi.org
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up A for mealie.pojagi.org - the domain's nameservers may be malfunctioning; no valid AAAA records found for mealie.pojagi.org

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version):

nginx version: nginx/1.22.1

The operating system my web server runs on is (include version):

PRETTY_NAME="Raspbian GNU/Linux 12 (bookworm)"
NAME="Raspbian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

My hosting provider, if applicable, is: self/at home

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.1.0

Hello @tjb1982, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results
https://letsdebug.net/www.pojagi.org/2238408?debug=y

DNSLookupFailed
Fatal
A fatal issue occurred during the DNS lookup process for www.pojagi.org/AAAA.
DNS response for www.pojagi.org/AAAA could not be resolved within the timeout. This may indicate slow or unresponsive nameservers

This is a failure of your DNS Servers (and / or their configuration).

And here DNS Spy report for pojagi.org I see:

2 Likes

Thanks for the nice welcome!

I'm not sure where to go from here, but all of those screenshots look right to me. This is what it looks like on godaddy:

This all started when I wanted to add "mealie" (a self-hosted recipe management app) as a subdomain. I let certbot manage the nginx conf, which it does great. I looked back at the last time the cron job ran, and it looks like there are 51 days left on the last one which included gitlab and some other subdomains I don't want anymore.

I looked again at the certbot installation instructions, and it looks like the way I've installed it is out of date, so I'm reinstalling via pip in a virtualenv. That shouldn't have any effect on this, though, right?

Again, not sure what steps to take now.

Thanks!

1 Like

I suggest contacting GoDaddy and see what they say about ns59.domaincontrol.com ns60.domaincontrol.com not responding properly for DNS Authoritative Name Servers.

2 Likes

Hi @tjb1982,

I could also be DNS lookup for pojagi.duckdns.org as well.
https://letsdebug.net/pojagi.duckdns.org/2238433

DNSLookupFailed
Fatal
A fatal issue occurred during the DNS lookup process for duckdns.org/CAA.
DNS response for duckdns.org/CAA could not be resolved within the timeout. This may indicate slow or unresponsive nameservers

https://www.ssllabs.com/ssltest/analyze.html?d=pojagi.duckdns.org

So also suggest contacting Duck DNS about their Name Servers as well.

2 Likes

When did you add duckdns as a DNS provider? Because we have seen repeated problems with people using their service in recent weeks. And, it looks like you are also suffering from that:

See: mealie.pojagi.org | DNSViz

3 Likes

Thanks so much for the suggestions. I changed from duckdns to using a cloudflare solution instead and what a difference.

3 Likes