Hi,
I am attempting to generate a certificate for the domain new.hellomouse.net with a dns-01 challenge. The DNS record is successfully added and can be seen from Google DNS and directly, however, the server says the DNS request fails due to a SERVFAIL (or in rare cases, due to timeouts).
Direct request to DNS server:
$ dig @ns1.hellomouse.net _Acme-cHallenge.NEw.hellomouSe.Net txt
; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @ns1.hellomouse.net _Acme-cHallenge.NEw.hellomouSe.Net txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5454
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;_acme-challenge.new.hellomouse.net. IN TXT
;; ANSWER SECTION:
_Acme-cHallenge.NEw.hellomouSe.Net. 5 IN TXT "Zcb9-B9vBguJBdkkubyAtIOM3JgPERwVZ3_ojvwi0eg"
;; Query time: 185 msec
;; SERVER: 91.92.144.105#53(91.92.144.105)
;; WHEN: Sun May 20 15:23:14 PDT 2018
;; MSG SIZE rcvd: 142
Request to Google DNS:
$ dig @8.8.8.8 _Acme-cHallenge.NEw.hellomouSe.Net txt
; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @8.8.8.8 _Acme-cHallenge.NEw.hellomouSe.Net txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42874
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_Acme-cHallenge.NEw.hellomouSe.Net. IN TXT
;; ANSWER SECTION:
_Acme-cHallenge.NEw.hellomouSe.Net. 4 IN TXT "Zcb9-B9vBguJBdkkubyAtIOM3JgPERwVZ3_ojvwi0eg"
;; Query time: 279 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 20 15:23:31 PDT 2018
;; MSG SIZE rcvd: 119
Error given by Let’s Encrypt:
new.hellomouse.net:Verify error:DNS problem: SERVFAIL looking up TXT for _acme-challenge.new.hellomouse.net
Earlier, attempting to verify the domains hellomouse.net, io.hellomouse.net, and www.hellomouse.net succeeded.
Command:
./acme.sh --issue -d new.hellomouse.net --staging --dns dns_hm --dnssleep 300 -k ec-256 --log-level 2 --syslog 6 --cert-file /root/certs/new/cert.pem --key-file /root/certs/new/privkey.pem --fullchain-file /root/certs/new/fullchain.pem --reloadcmd /root/certs/new/postrenew --home /root/.acme.sh --debug
The DNS server is a custom server written in Node.js. It returns NOERROR and no response for CAA requests, as it is supposed to do.