SERVFAIL looking up CAA

Hi,

I'm running certbot on my homepage for 2 years now with an autorenew via crontab all 2.5 months:
0 0 1 */2 * /usr/bin/certbot renew > /dev/null 2>&1

This never was an issue until now. Below the information I extracted:

My domain is:
https://www.suite-leon-crete.com

I ran this command:
certbot --apache (as I have been doint this for 2 years now with this domain, all three months)

It produced this output:
Detail: During secondary validation: DNS problem: SERVFAIL looking up CAA for www.suite-leon-crete.com - the domain's nameservers may be malfunctioning.

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version):
Installed Packages on RHEL 9.4:
Name : httpd
Version : 2.4.57
Release : 8.el9
Architecture : x86_64
Source : httpd-2.4.57-8.el9.src.rpm
Repository : @System
Summary : Apache HTTP Server

The operating system my web server runs on is (include version):
RHEL 9.4

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

Welcome to the community @tux1980

We have seen a pattern from Route53 users in recent months. Some have reported that AWS has changed the auth name servers without any notice.

You should review your Route53 config because it looks like that happened to you

https://dnsviz.net/d/www.suite-leon-crete.com/dnssec/

Especially see the Warnings section at dnsviz

3 Likes

This may not be your only problem, but your DNS delegation is inconsistent: Your registrar thinks your DNS servers are ns-1562.awsdns-03.co.uk, ns-920.awsdns-51.net, ns-1113.awsdns-11.org, ns-84.awsdns-10.com, but your DNS zone thinks they are ns-382.awsdns-47.com, ns-751.awsdns-29.net, ns-1442.awsdns-52.org, ns-2022.awsdns-60.co.uk. We've seen this with AWS Route 53 DNS a few times over the past few months, though it's not clear (at least to me) if it's because AWS is changing DNS servers without telling anyone, or if it's just a configuration which was broken all along but something (either on Let's Encrypt's validation side or on the AWS side) got stricter about it recently.

You need to make sure that the 4 nameservers listed under "Hosted zone details" in the Route 53 console are the same ones listed at both your registrar, and in the NS record for your zone. (Refer to "Step 4" of the documentation for using Route 53 as your DNS.)

4 Likes

Jepp, thats it - after switching to the nameservers from the registrar and deleting of the live directory it is now been working again.
Thanks!

2 Likes