SERVFAIL - Wildcard DNS01 Bind

Hi,
I encounter an error (SERVFAIL) when installing the wildcard certificate for my domain.
I use BIND9, CentOS 7v4 with SELinux enabled.
My order: certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini -d *. vhost.fr -d vhost.fr

Obtaining a new Certificate
Performing the following challenges:
DNS-01 Challenge for Vhost.fr
DNS-01 Challenge for Vhost.fr
Cleaning up challenges
Received response from server: SERVFAIL

I have made several attempts but without success.
Do you have any idea what the problem is ?
Thank

My log file

2018-04-12 21:18:44,058:INFO:certbot.auth_handler:Performing the following challenges:
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,064:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,066:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 74, in _perform
self._get_rfc2136_client().add_txt_record(domain, validation_name, validation, self.ttl)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 132, in add_txt_record
.format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: SERVFAIL

2018-04-12 21:18:44,066:DEBUG:certbot.error_handler:Calling registered functions
2018-04-12 21:18:44,066:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-12 21:18:44,068:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,070:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2018-04-12 21:18:44,072:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,073:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Successfully deleted TXT record
2018-04-12 21:18:44,073:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:Performing the following challenges:
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,058:INFO:certbot.auth_handler:dns-01 challenge for vhost.fr
2018-04-12 21:18:44,064:DEBUG:certbot_dns_rfc2136.dns_rfc2136:Received authoritative SOA response for vhost.fr
2018-04-12 21:18:44,066:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 74, in _perform
self._get_rfc2136_client().add_txt_record(domain, validation_name, validation, self.ttl)
File “/usr/lib/python2.7/site-packages/certbot_dns_rfc2136/dns_rfc2136.py”, line 132, in add_txt_record
.format(dns.rcode.to_text(rcode)))
PluginError: Received response from server: SERVFAIL

Could you increase the debug level of BIND and check its logs?

Thank you for your reply.

In bind logs I have unauthorized access to the .jnl file when adding or deleting records:

#/key keyname: update zone ‘vhost.fr/IN’: addind an RR at ‘_acme-challenge.vhost.fr’ TXT
#forward.vhost.fr.db.jnl: create: permission denied
#/key keyname: zone update ‘vhost.fr/IN’: error: log open failed: unexpected error

In the definition of my zone, I added:
update-policy {grant keyname. name _acme-challenge.vhost.fr. txt; }

Is it correct ?

I’ve not had to manually admin BIND servers before, but that appears to possibly be a filesystem permissions error. If it was an authentication/authorization error, you would get REFUSED, not SERVFAIL.

Maybe take a look at your SELinux deny log (/var/log/audit/audit.log) and also review the permissions of the files mentioned in the error.

This is a file system permission issue. Check whether the user bind runs as can write to the directory where the journal files get created.

1 Like

Hi,

Well seen the problem of right of access. It actually came from selinux (setsebool -P named_write_master_zones on). This point is corrected.

But as I move forward, I have another problem.
DNS problem: NXDOMAIN lokking up TXT for _acme-challenge.vhost.fr

Is “_acme-challenge” correct for a “DNS01” challenge ?

IIRC you can also get a SERVFAIL if the nameserver can't be found or isn't responding on port 53. This happened to me when I tried to create a domain+wildcard after buying a new domain. The registrar set the initial DNS servers pointed to a parking page system with long TTL. I don't recall the exact specifics, but for a few hours there was a mix of old and new DNS records active, and one set was pointing to a nameserver (for acme-dns) which the other set couldn't resolve. I think one system cached a wildcard failover off the non-existant system instead of a NXDOMAIN, and I had to wait for that to finally expire.

hi,
Cool, it’s good. I got my certificate after deleting the /etc/letsencrypt directory and restarted the procedure.

But…

1 °) now in Firefox, I have an error when I request a secure page.
(Error code: SSL_ERROR_RX_RECORD_TOO_LONG)?

2 °) in the file "forward.vhost.fr.db " of bind, I do not see a TXT record
Is that normal?

That unintuitive error message means that the web server is running HTTP on the HTTPS port.

http://vhost.fr:443/ will load.

(The IPv6 address also times out.)

Back to IPv4, probably either the web server configuration isn't working, or there's some sort of port forwarding issue (if port forwarding is involved).

Probably. The TXT record only exists for a few seconds while Certbot is running. It automatically deletes it after the validation is finished.

Edit: By the way, it's not directly relevant, but one of the domain's DNS servers isn't working. http://dnsviz.net/d/vhost.fr/WtEO8w/dnssec/

Thank,
http://vhost.fr:443 load.

My problem now is how to integrate the generic certificate within my infrastructure.

Ok thank you. I will create another request on the server category.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.