SERVFAIL looking up A error - Lets Encrypt and Cloudflare

Hello guys,

I’m trying to issue a new certificate for, however lately I’ve switched my nameservers to the Cloudflare nameservers. Normally I use the nameservers of my domain registrar and it worked fine.

Currently, I have “Paused” my Cloudflare settings, but only the DNS configurations are active. Whenever I want to issue my certificate I get this error:

“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “DNS problem: SERVFAIL looking up A for”,
“status”: 400
“uri”: “”,
“token”: “uvtg5UqXBD7lGcetz1erXZknEMShgVTThSsBpJahmWg”,
“keyAuthorization”: “uvtg5UqXBD7lGcetz1erXZknEMShgVTThSsBpJahmWg.NnKY5QKccivUfWUkrjytBTqHRbYunadDNo3y0CdTmTc”,
“validationRecord”: [
“url”: “”,
“hostname”: “”,
“port”: “80”

I’m using the latest “Let’s Encrypt Windows Simple (LEWS)” version and also tried to issue through, but both gives exactly the same error.

The “A Record” should be set correctly inside Cloudflare’s DNS configuration which you can see here:

Am I missing something?

The domain’s DNSSEC configuration is incorrect. No validating resolver can resolve it.

Specifically, it has a DS record that isn’t for Cloudflare – it was probably for the old DNS provider’s key.

The Cloudflare nameservers don’t have DNSSEC enabled for the domain at all.  (signed)  3431  DS  59470 8 2 2462AEE6E1996525BA752182B8CE9DA14B7B6D63B56BC02DAB3AAB9E 4F7837FA

You can:

  1. Go to your registrar and remove the DS record, disabling DNSSEC.

  2. Go to your registrar and remove the DS record, go to Cloudflare and enable DNSSEC on the domain, and copy the new DS record from Cloudflare to your registrar.


13 posts were split to a new topic: Traefik/LEGO: Error presenting token: Unexpected response code ‘SERVFAIL’

Thank you!

The problem is fixed by enabling the DNSSEC on Cloudflare and copying the DS record into my domain registrar. I can now create Lets Encrypt certificates on all of my domains while the DNS’s are handled by Cloudflare!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.