SERVFAIL looking up CAA

Hi, my auto renewals have starting failing with the output below. I previously did not have a CAA record so I tried adding one for letsencrypt.org but it is still failing. Any advice on how to resolve very appreciated.

My domain is: apps.epicentre-msf.org

I ran this command: sudo certbot renew --dry-run

It produced this output:

Simulating renewal of an existing certificate for apps.epicentre-msf.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: apps.epicentre-msf.org
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for apps.epicentre-msf.org - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1026-aws x86_64)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

https://dnsviz.net/d/apps.epicentre-msf.org/dnssec/

Your NS records are inconsistent: Your registrar thinks the servers are

ns-780.awsdns-33.net, ns-1483.awsdns-57.org, ns-1974.awsdns-54.co.uk, ns-264.awsdns-33.com

But when queried, they're replying that the servers actually are these:

ns-479.awsdns-59.com, ns-927.awsdns-51.net, ns-1274.awsdns-31.org, ns-1617.awsdns-10.co.uk

You need to fix whichever one is wrong. We've seen this a few times with Route 53 with people saying that it used to work; I don't know if maybe there was a system (either on Let's Encrypt's side or on the Route 53 site) that was tolerating the misconfiguration better before, or if nameservers got changed somehow without the administrators knowing, but it needs to be fixed in order for your domain to work reliably.

The CAA record isn't the problem directly (it'd be fine if it were gone, through adding one can improve your domain's security), it's just that it needs to get a "no record" (or valid) lookup result in order to get a certificate, rather than an error.

In their documentation, this page's "Step 4" says how to go into the details of your hosted zone to find which nameservers the zone should be using, those are the nameservers that should be in both that zone's NS record and in your registrar's configuration for your domain.

5 Likes

Thank you very much. We managed to correct the NS records and renewals are working again.

3 Likes