SERVFAIL looking up TXT - but records exist

I'm not able to get certs :frowning:

My domain is:
tizlab.xyz

I ran this command:
certbot --domains tizlab.xyz,*.tizlab.xyz --manual --preferred-challenges dns certonly

It produced this output:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: tizlab.xyz
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up TXT for
   _acme-challenge.tizlab.xyz - the domain's nameservers may be
   malfunctioning

   Domain: tizlab.xyz
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up TXT for
   _acme-challenge.tizlab.xyz - the domain's nameservers may be
   malfunctioning

The version of my client:

root@nginx:~# certbot --version
certbot 0.40.0

Can get both TXT records from authoritative NS, from Google public DNS and from DNS configured on the node:

Node configured DNS:

root@nginx:~# dig _acme-challenge.tizlab.xyz txt +short
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"

Google:

root@nginx:~# dig @8.8.8.8 _acme-challenge.tizlab.xyz txt +short
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"

Authoritative:

root@nginx:~# dig @156.154.132.200 _acme-challenge.tizlab.xyz txt +short
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"

root@nginx:~# dig @156.154.133.200 _acme-challenge.tizlab.xyz txt +short
"Pj8gM2ibrvXct_PkwcLuOhzyEAyyamLUPq2456rFalY"
"h1d8BeZTooEKknYj3p5gJF-jbxm0eQvU7_2uLw0vG0w"

Outputs of dig are before the procedure started verifing records.
Tried several times (with new txt records), it always fails. What am I doing wrong?

I'm not sure it's the cause of your troubles (as unboundtest can find your records), but DNSViz reports that your name tizlab.xyz is a CNAME to pubip.tizlab.xyz but also has other types of records for the same name (presumably NS at the very least I'm guessing). That's something that DNS servers shouldn't be able to do. You really can't use a CNAME for your apex domain very effectively.

5 Likes

I will remove the cname for the @ record, let's see (and encrypt :sweat_smile:).

It worked, removing that CNAME for the apex domain. I made an A record pointing to the IP. Thx bro.

3 Likes