SERVFAIL looking up TXT - but records exist

Vanadio · July 16, 2022, 1:04am

I'm not able to get certs

My domain is:
tizlab.xyz

I ran this command:
certbot --domains tizlab.xyz,*.tizlab.xyz --manual --preferred-challenges dns certonly

It produced this output:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: tizlab.xyz
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up TXT for
   _acme-challenge.tizlab.xyz - the domain's nameservers may be
   malfunctioning

   Domain: tizlab.xyz
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up TXT for
   _acme-challenge.tizlab.xyz - the domain's nameservers may be
   malfunctioning

The version of my client:

root@nginx:~# certbot --version
certbot 0.40.0

Can get both TXT records from authoritative NS, from Google public DNS and from DNS configured on the node:

Node configured DNS:

root@nginx:~# dig _acme-challenge.tizlab.xyz txt +short
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"

Google:

root@nginx:~# dig @8.8.8.8 _acme-challenge.tizlab.xyz txt +short
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"

Authoritative:

root@nginx:~# dig @156.154.132.200 _acme-challenge.tizlab.xyz txt +short
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"

root@nginx:~# dig @156.154.133.200 _acme-challenge.tizlab.xyz txt +short
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"

Outputs of dig are before the procedure started verifing records.
Tried several times (with new txt records), it always fails. What am I doing wrong?

petercooperjr · July 16, 2022, 1:12am

I'm not sure it's the cause of your troubles (as unboundtest can find your records), but DNSViz reports that your name tizlab.xyz is a CNAME to pubip.tizlab.xyz but also has other types of records for the same name (presumably NS at the very least I'm guessing). That's something that DNS servers shouldn't be able to do. You really can't use a CNAME for your apex domain very effectively.

Vanadio · July 16, 2022, 1:15am

I will remove the cname for the @ record, let's see (and encrypt ).

Vanadio · July 16, 2022, 2:14am

It worked, removing that CNAME for the apex domain. I made an A record pointing to the IP. Thx bro.

system · August 15, 2022, 2:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS Problem: SERVFAIL looking up TXT for _acme-challenge.X - the domain's nameservers may be malfunctioning Help	21	2205	December 29, 2023
SERVFAIL looking up TXT record when doing dns-01 challenge Help	3	3109	June 19, 2018
Could Not find A record Help	21	516	January 6, 2024
Certbot failed to authenticate some domains Help	3	934	November 12, 2021
SERVFAIL looking up TXT on subdomain (namecheap DNS) Server	3	1686	April 3, 2017

SERVFAIL looking up TXT - but records exist

Related topics