The domain's nameservers may be malfunctioning

Help
1

Hello,

When I try to install certbot for my site, I receive this error:

[2022-09-27 11:21:41] production.DEBUG: :  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  
[2022-09-27 11:21:42] production.DEBUG: :  Plugins selected: Authenticator nginx, Installer nginx
  
[2022-09-27 11:21:42] production.DEBUG: :  Attempting to parse the version 1.30.0 renewal configuration file found at /etc/letsencrypt/renewal/deepplus.plus.conf with version 0.40.0 of Certbot. This might not work.
  
[2022-09-27 11:21:42] production.DEBUG: :  Obtaining a new certificate
  
[2022-09-27 11:21:42] production.DEBUG: :  An unexpected error occurred:
:  Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: While processing CAA for drumheadshed.com: DNS problem: SERVFAIL looking up CAA for drumheadshed.com - the domain's nameservers may be malfunctioning
  
[2022-09-27 11:21:42] production.DEBUG: :  Please see the logfiles in /var/log/letsencrypt for more details.
  
[2022-09-27 11:21:42] production.DEBUG: [✗] This task did not complete successfully on one of your servers.

When I install multiple times, sometimes it works, sometimes it does not. I want to know exact why this happens, please advise.

Best regards,

Chu

2

Welcome to the community @zucandu

You have two very different problems. One is the error about parsing a 1.30 renewal config with an older certbot v0.40. This happens when you have multiple versions of certbot installed on your system. Please review the install docs for certbot for how to remove the copy that came with your oper sys.

The other problem is your DNS was returning an error code. I don't see any current problems with your DNS. Is that still happening?

3 Likes
3

Hi Mike,

Thank you for supported. Yes, it's still happening. Actually it works very well before but not good at this time and we still don't know why.

Thank you for the certbot 0.40. I will review and remove it.

Chu

1 Like
4

I removed the old version of certbot and the warning no longer appears however the problem with CAA still exists. I have just tested it again.

Untitled
Untitled1920×1080 119 KB

5

There is definitely something weird going on with your DNS zone.
Let's Debug doesn't find that CAA problem:
Let's Debug (letsdebug.net)

Can your DSP help troubleshoot this problem?
Can you add a CAA record to specifically allow Let's Encrypt?
Can you add more DNS servers?
Can you switch your DSP?

2 Likes
6

This is the information I find on the domain, just sharing to assist everyone in debugging.

https://dnsviz.net/d/drumheadshed.com/dnssec/

https://unboundtest.com/m/CAA/drumheadshed.com/737WSDML

$ nslookup
> drumheadshed.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   drumheadshed.com
Address: 45.32.95.114
> set q=soa
> drumheadshed.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
drumheadshed.com
        origin = ns1.vultr.com
        mail addr = dnsadm.choopa.com
        serial = 0
        refresh = 10800
        retry = 3600
        expire = 604800
        minimum = 3600

Authoritative answers can be found from:
> server ns1.vultr.com
Default server: ns1.vultr.com
Address: 173.199.96.96#53
> drumheadshed.com
Server:         ns1.vultr.com
Address:        173.199.96.96#53

drumheadshed.com
        origin = ns1.vultr.com
        mail addr = dnsadm.choopa.com
        serial = 0
        refresh = 10800
        retry = 3600
        expire = 604800
        minimum = 3600
> set q=a
> drumheadshed.com
Server:         ns1.vultr.com
Address:        173.199.96.96#53

Name:   drumheadshed.com
Address: 45.32.95.114
> set q=aaaa
> drumheadshed.com
Server:         ns1.vultr.com
Address:        173.199.96.96#53

*** Can't find drumheadshed.com: No answer
> set q=caa
> drumheadshed.com
Server:         ns1.vultr.com
Address:        173.199.96.96#53

*** Can't find drumheadshed.com: No answer
> set q=txt
> drumheadshed.com
Server:         ns1.vultr.com
Address:        173.199.96.96#53

drumheadshed.com        text = "v=spf1 mx ~all"
>
2 Likes
7

It's very difficult to specify the problem because when I try some times it can work. Weird.

1 Like
8

Rudy had a good idea earlier. Maybe try adding a CAA record with the value:

0 issue "letsencrypt.org"

This will only allow Let's Encrypt to issue certs for your domain.

The reason this might help is because the SERVFAIL error seems to only happen with the CAA record. Your DNS servers should be responding "not found" but instead respond with the SERVFAIL. This is not allowed (by LE).

Adding a CAA record might help avoid this.

I appreciate how hard it is to deal with intermittent DNS issues. I haven't been able to recreate any problem with your DNS with any of the normal tools we use.

It's a bit of a long shot because you are not using IPv6 so don't have an AAAA record in the DNS either. So, even if this helps the CAA record you might start seeing AAAA record SERVFAILs. LE checks for one and uses it over any A record for IPv4. Still, might be helpful as diagnostic aid if nothing else.

4 Likes
9

Thank you so much Mike. I will try and update here.

2 Likes
10

Hi Mike,

You're correct. When I tried to add CAA record and we have the new error now. Any idea Mike?

[2022-09-29 04:10:56] production.DEBUG: out : Requesting a certificate for musicpartsdirect.com
  
[2022-09-29 04:10:59] production.DEBUG: out : Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
: Domain: musicpartsdirect.com
: Type:   dns
: Detail: DNS problem: SERVFAIL looking up A for musicpartsdirect.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for musicpartsdirect.com - the domain's nameservers may be malfunctioning
: Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
  
[2022-09-29 04:11:01] production.DEBUG: out :  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  
[2022-09-29 04:11:01] production.DEBUG: out :  Some challenges have failed.
  
[2022-09-29 04:11:01] production.DEBUG: out :  Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
  
[2022-09-29 04:11:01] production.DEBUG: out [✗] This task did not complete successfully on one of your servers.

Do you think there are a few errors with DNS from our server?

11

That is a new domain name and DNSviz reports many problems. First step is to resolve those. I'm signing off for night so didn't study but this is not the same issue as your other domain. Just a similar symptom

https://dnsviz.net/d/musicpartsdirect.com/dnssec/

3 Likes
12

You changed domain names and this one is another DNS trainwreck:

nslookup -q=ns musicpartsdirect.com j.gtld-servers.net
musicpartsdirect.com    nameserver = ns1.vultr.com
musicpartsdirect.com    nameserver = ns2.vultr.com

nslookup -q=ns musicpartsdirect.com ns1.vultr.com
*** UnKnown can't find musicpartsdirect.com: Query refused

nslookup -q=ns musicpartsdirect.com ns2.vultr.com
*** UnKnown can't find musicpartsdirect.com: Query refused
4 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.