SERVFAIL - Wildcard DNS01 Bind

pbr18 · April 12, 2018, 9:36pm

Hi,
I encounter an error (SERVFAIL) when installing the wildcard certificate for my domain.
I use BIND9, CentOS 7v4 with SELinux enabled.
My order: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini -d *. vhost.fr -d vhost.fr
…
Obtaining a new Certificate
Performing the following challenges:
DNS-01 Challenge for Vhost.fr
DNS-01 Challenge for Vhost.fr
Cleaning up challenges
Received response from server: SERVFAIL

I have made several attempts but without success.
Do you have any idea what the problem is ?
Thank

My log file
…
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:Performing the following challenges:
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,064:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,066:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 74, in _perform
self._get_rfc2136_client().add_txt_record(domain, validation_name, validation, self.ttl)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 132, in add_txt_record
.format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: SERVFAIL

2018-04-12 21:18:44,066:DEBUG:certbot.error_handler:Calling registered functions
2018-04-12 21:18:44,066:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-12 21:18:44,068:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,070:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2018-04-12 21:18:44,072:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,073:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2018-04-12 21:18:44,073:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:Performing the following challenges:
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,064:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,066:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 74, in _perform
self._get_rfc2136_client().add_txt_record(domain, validation_name, validation, self.ttl)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 132, in add_txt_record
.format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: SERVFAIL
…

_az · April 12, 2018, 11:29pm

Could you increase the debug level of BIND and check its logs?

pbr18 · April 13, 2018, 9:29am

Thank you for your reply.

In bind logs I have unauthorized access to the .jnl file when adding or deleting records:

#/key keyname: update zone ‘vhost.fr/IN’: addind an RR at ‘_acme-challenge.vhost.fr’ TXT
#forward.vhost.fr.db.jnl: create: permission denied
#/key keyname: zone update ‘vhost.fr/IN’: error: log open failed: unexpected error

In the definition of my zone, I added:
update-policy {grant keyname. name _acme-challenge.vhost.fr. txt; }

Is it correct ?

_az · April 13, 2018, 10:04am

I’ve not had to manually admin BIND servers before, but that appears to possibly be a filesystem permissions error. If it was an authentication/authorization error, you would get REFUSED, not SERVFAIL.

Maybe take a look at your SELinux deny log (/var/log/audit/audit.log) and also review the permissions of the files mentioned in the error.

bytecamp · April 13, 2018, 10:28am

This is a file system permission issue. Check whether the user bind runs as can write to the directory where the journal files get created.

pbr18 · April 13, 2018, 12:49pm

Hi,

Well seen the problem of right of access. It actually came from selinux (setsebool -P named_write_master_zones on). This point is corrected.

But as I move forward, I have another problem.
DNS problem: NXDOMAIN lokking up TXT for _acme-challenge.vhost.fr

Is “_acme-challenge” correct for a “DNS01” challenge ?

jvanasco · April 13, 2018, 4:52pm

IIRC you can also get a SERVFAIL if the nameserver can't be found or isn't responding on port 53. This happened to me when I tried to create a domain+wildcard after buying a new domain. The registrar set the initial DNS servers pointed to a parking page system with long TTL. I don't recall the exact specifics, but for a few hours there was a mix of old and new DNS records active, and one set was pointing to a nameserver (for acme-dns) which the other set couldn't resolve. I think one system cached a wildcard failover off the non-existant system instead of a NXDOMAIN, and I had to wait for that to finally expire.

pbr18 · April 13, 2018, 8:05pm

hi,
Cool, it’s good. I got my certificate after deleting the /etc/letsencrypt directory and restarted the procedure.

But…

1 °) now in Firefox, I have an error when I request a secure page.
(Error code: SSL_ERROR_RX_RECORD_TOO_LONG)?

2 °) in the file "forward.vhost.fr.db " of bind, I do not see a TXT record
Is that normal?

mnordhoff · April 13, 2018, 8:10pm

That unintuitive error message means that the web server is running HTTP on the HTTPS port.

http://vhost.fr:443/ will load.

(The IPv6 address also times out.)

Back to IPv4, probably either the web server configuration isn't working, or there's some sort of port forwarding issue (if port forwarding is involved).

Probably. The TXT record only exists for a few seconds while Certbot is running. It automatically deletes it after the validation is finished.

Edit: By the way, it's not directly relevant, but one of the domain's DNS servers isn't working. http://dnsviz.net/d/vhost.fr/WtEO8w/dnssec/

pbr18 · April 14, 2018, 2:51pm

Thank,
http://vhost.fr:443 load.

My problem now is how to integrate the generic certificate within my infrastructure.

Ok thank you. I will create another request on the server category.

system · May 14, 2018, 2:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dns01 challenge fail with error "DNS problem: SERVFAIL looking up TXT" Help	5	847	September 26, 2021
_acme-challenges mismatch from dns-rfc2136 Help	7	1284	April 12, 2020
DNS problem: SERVFAIL looking up TXT for _acme-challenge Help	7	9563	September 24, 2019
DNS SERVFAIL errors from Let's Encrypt Help	3	100	August 23, 2024
Dns-01 challenge not working for wildcard cert Server	24	8966	September 13, 2018

SERVFAIL - Wildcard DNS01 Bind

Related topics