SERVFAIL looking up CAA on subdomain

Hi!

I have a VPS server that hosts 4 domains and many subdomains (quite a lot for my experiments ) and I have set up Let’s Encrypt certificates for most of them.

But I have just created a new subdomain and when I try to put a certificate on it fails.

My domain is: http://apitpv.osumi.es

I’m using Plesk 17.8.11 to manage all my domains/subdomains and to create Let’s Encrypt certificates.

It produced this output:

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/125cwEO1_-KKqGiO2BobQ2jqXdRKnR3zetMcfc5-FXc.
Details:
Type: urn:acme:error:dns
Status: 400
Detail: DNS problem: SERVFAIL looking up CAA for apitpv.osumi.es

My web server is (include version): 2.4.10-10+deb8u12 as shown by dpkg

The operating system my web server runs on is (include version): Debian 8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx 17.8.11

I’ve tried doing dig and it shows NOERROR:

 dig @dns1.canaldominios.com apitpv.osumi.es CAA

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @dns1.canaldominios.com apitpv.osumi.es CAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42413

Any help would be appreciated.

Thanks!!

iñigo

For me (and DNSViz), the domain’s nameservers are returning SERVFAIL for a CAA query for that name. Among other issues which may or may not cause resolution to fail.

http://dnsviz.net/d/apitpv.osumi.es/WunMiA/dnssec/

$ dig +norecurse @dns1.canaldominios.com apitpv.osumi.es caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse @dns1.canaldominios.com apitpv.osumi.es caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37054
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;apitpv.osumi.es.               IN      CAA

;; ANSWER SECTION:
apitpv.osumi.es.        3600    IN      CNAME   osumi.es.

;; AUTHORITY SECTION:
osumi.es.               3600    IN      SOA     dns1.canaldominios.com. dns.canaldominios.com. 1 7200 1800 151200 3600

;; Query time: 109 msec
;; SERVER: 82.194.64.50#53(82.194.64.50)
;; WHEN: Wed May 02 14:37:38 UTC 2018
;; MSG SIZE  rcvd: 109

Thanks for the fast reply.

I’ve typed your same command and I get NOERROR, how can it be possible?

dig +norecurse @dns1.canaldominios.com apitpv.osumi.es caa

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> +norecurse @dns1.canaldominios.com apitpv.osumi.es caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28956
;; flags: qr aa ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;apitpv.osumi.es.               IN      A

;; ANSWER SECTION:
apitpv.osumi.es.        3600    IN      CNAME   osumi.es.
osumi.es.               3600    IN      A       37.59.239.108

;; AUTHORITY SECTION:
osumi.es.               3600    IN      NS      dns1.canaldominios.com.
osumi.es.               3600    IN      NS      dns2.canaldominios.com.
osumi.es.               3600    IN      NS      dns3.canaldominios.com.
osumi.es.               3600    IN      NS      dns4.canaldominios.com.

;; Query time: 28 msec
;; SERVER: 82.194.64.50#53(82.194.64.50)
;; WHEN: Wed May 02 16:53:59 CEST 2018
;; MSG SIZE  rcvd: 156

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1775
;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;caa.                           IN      A

;; Query time: 27 msec
;; SERVER: 82.194.64.50#53(82.194.64.50)
;; WHEN: Wed May 02 16:54:00 CEST 2018
;; MSG SIZE  rcvd: 21

The most annoying thing is that I have already 20 or 30 domains with a Let’s Encrypt certificate in the same server and they didn’t fail. For example https://board.osumi.es/ or https://game.osumi.es/ (or even the main site https://osumi.es/ )

Thanks!

You’re using an older version of dig that doesn’t know what CAA records are, so it did something different: It looked up the A record for apitpv.osumi.es. and then the A record for “caa.”.

Try:

dig +norecurse @dns1.canaldominios.com apitpv.osumi.es type257

(dig can send queries for types it doesn’t support. 257 is the code for CAA. If it gets a positive response, the records are displayed in an encoded, non-human-readable format, but you know they’re there.)

You’re right, now I see the SERVFAIL response:

dig +norecurse @dns1.canaldominios.com apitpv.osumi.es type257

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> +norecurse @dns1.canaldominios.com apitpv.osumi.es type257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16695
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;apitpv.osumi.es.               IN      TYPE257

;; ANSWER SECTION:
apitpv.osumi.es.        3600    IN      CNAME   osumi.es.

;; AUTHORITY SECTION:
osumi.es.               3600    IN      SOA     dns1.canaldominios.com. dns.canaldominios.com. 1 7200 1800 151200 3600

;; Query time: 24 msec
;; SERVER: 82.194.64.50#53(82.194.64.50)
;; WHEN: Wed May 02 17:21:58 CEST 2018
;; MSG SIZE  rcvd: 109

But if I try it with game.osumi.es it also fails with the same response, so, how can it be working?

Thanks!

I’m not sure.

It may have worked a few hours ago. It may work in some locations.

With luck, if a resolver queries a type that works first, it will cache the CNAME response, and then only make a CAA query for osumi.es. itself, which doesn’t fail.

Hola @igorosabel,

You should open a support ticket to ACENS and explain them what is happening when trying to get a non existent CAA record for a subdomain that has already defined a CNAME record. Meanwhile… if you can add CAA records you could try to add a CAA record for your subdomain and try again (there is no need to remove the CNAME, just add the CAA record).

apitpv.osumi.es. CAA 0 issue "letsencrypt.org"

Buena suerte

Un saludo,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.