Ubuntu 16.04 - DNS problem: SERVFAIL looking up MX


#1

Attempting to do a certificate only, no install on Ubuntu 16.04 since I’m trying to install the certificate in Rancher 3 node cluster. Attempting to use letsencrypt certonly -d -d -d -d results in message stating DNS problem: SERVFAIL looking up MX. Below is the log

letsencrypt --version
letsencrypt 0.4.1

2016-10-06 02:00:23,271:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-10-06 02:00:23,272:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-06 02:00:23,272:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2016-10-06 02:00:23,272:DEBUG:letsencrypt.cli:Arguments: [’-d’, ‘’, ‘-d’, ‘’, ‘-d’, ‘’, ‘-d’, ‘’]
2016-10-06 02:00:23,273:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-10-06 02:00:23,276:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2016-10-06 02:00:23,316:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/letsencrypt/plugins/disco.py”, line 103, in prepare
self.initialized.prepare()
File “/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py”, line 56, in prepare
"Missing parts of webroot configuration; please set either "
PluginError: Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.
2016-10-06 02:00:23,317:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x7febb128a7d0>
Prep: True
2016-10-06 02:00:23,317:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x7febb128a7d0> and installer None
2016-10-06 02:00:31,164:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-10-06 02:00:31,168:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-06 02:00:31,519:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 280
2016-10-06 02:00:31,522:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Boulder-Request-Id’: ‘XSgsK9tIOnJflNRO_eOypUrXMwHy52EapDVdzERhUYM’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘1wXXq_fs1zE8DUZ4cR6KHqYTp5gp_5qJieuZVHQp73U’}. Content: '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2016-10-06 02:00:31,523:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Boulder-Request-Id’: ‘XSgsK9tIOnJflNRO_eOypUrXMwHy52EapDVdzERhUYM’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘1wXXq_fs1zE8DUZ4cR6KHqYTp5gp_5qJieuZVHQp73U’}): '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2016-10-06 02:00:31,523:DEBUG:root:Requesting fresh nonce
2016-10-06 02:00:31,523:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {}
2016-10-06 02:00:31,525:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-06 02:00:31,785:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-reg HTTP/1.1” 405 0
2016-10-06 02:00:31,788:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘91’, ‘Pragma’: ‘no-cache’, ‘Boulder-Request-Id’: ‘f2pMkUGZ3nDzevu4KPMMe_hXC8gznmBia8KHJdhOLMw’, ‘Expires’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘oAUJJy8-G7d_zJuKZvlrPS_I-fft_t7C3sXd6wSk39Q’}. Content: '‘
2016-10-06 02:00:31,788:DEBUG:acme.client:Storing nonce: "\xa0\x05\t’/>\x1b\xb7\x7f\xcc\x9b\x8af\xf9k=/\xc8\xf9\xf7\xed\xfe\xde\xc2\xde\xc5\xdd\xeb\x04\xa4\xdf\xd4"
2016-10-06 02:00:31,789:DEBUG:acme.jose.json_util:Omitted empty fields: authorizations=None, certificates=None, agreement=None, key=None
2016-10-06 02:00:31,790:DEBUG:acme.client:Serialized JSON: {“contact”: [“mailto:@richinsconsulting.com”], “resource”: “new-reg”}
2016-10-06 02:00:31,791:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ=None
2016-10-06 02:00:31,796:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None
2016-10-06 02:00:31,796:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “xyZHFtaCKg8BsPfl2ENnRuV4DsoGSume3ZZbHEc0NEC-yp7-D5dEzZA9viQJJpdonuFvtd-KliL5p5lPCJIKLHX5_I01824RMC8mqg-U31p1dMnG-J2vBTH7EXCpO4wQrRIc-NHVsKssvLPE0qLbkR_ZKrYTIfKmLpdzIxAV6Ak3sg4gP8QuyjMos80qoJxcYh34stX78WdARI5ZH4k2yBr8Bd-S7DD5EPXrmfNpgaGyOIDj69g-wIAyd_qOMxxPpzXJnR2_y6tkEui6lg4rNlHt-IQylY6dR1MJWux7Jz6L0pUzX2RKfJWTJCv6GWSKZJbKC9Y9DzPugMAGES5x0w”}}, “protected”: “eyJub25jZSI6ICJvQVVKSnk4LUc3ZF96SnVLWnZsclBTX0ktZmZ0X3Q3QzNzWGQ2d1NrMzlRIn0”, “payload”: “eyJjb250YWN0IjogWyJtYWlsdG86bm9jQHJpY2hpbnNjb25zdWx0aW5nLmNvbSJdLCAicmVzb3VyY2UiOiAibmV3LXJlZyJ9”, “signature”: “Y3_GMyqxmtI6rdGYx66697gGb59WHUOPMHUWlqZkspB2JuM_haEHa-HNvNPpB3YUvfOASQtHJ2PbgZU6ojrmuDtd1J_H8emQMbpCcrtdEgcHdv-2yxwiqHdAUaQaca3hNN5C0quVIWSbrVpjIQyBrpaO_468PFxhAEOFxGAszPFBX-CrjtHiNDYMd61Isg0fDYX4N2kCfU0TSjBTCujuMduBIPZYxfywuiu6kSDGnBynZJZ4Z_n3GHsWMnU4MGVMPn-tCxbyrcsFvxzueSX8Ag5zhSFZTMShduh7locV6VIQYww7IJ37tUaCagJyrW0qza4RkRO7254elDh9861beg”}’}
2016-10-06 02:00:31,798:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-06 02:01:02,181:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-reg HTTP/1.1” 400 137
2016-10-06 02:01:02,183:DEBUG:root:Received <Response [400]>. Headers: {‘Content-Length’: ‘137’, ‘Boulder-Request-Id’: ‘HSpSfr2RL7g8luUw0puZVaZqDninAO7OlF_T4YAH7BA’, ‘Expires’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘0EGoY-xhz9x9-7Un21-pxKAr97Pvrx_4VuUMkLTmW0k’}. Content: '{\n “type”: “urn:acme:error:invalidEmail”,\n “detail”: “DNS problem: SERVFAIL looking up MX for richinsconsulting.com”,\n “status”: 400\n}‘
2016-10-06 02:01:02,184:DEBUG:acme.client:Storing nonce: "\xd0A\xa8c\xeca\xcf\xdc}\xfb\xb5’\xdb
\xa9\xc4\xa0+\xf7\xb3\xef\xaf\x1f\xf8V\xe5\x0c\x90\xb4\xe6[I" 2016-10-06 02:01:02,184:DEBUG:acme.client:Received response <Response [400]> (headers: {‘Content-Length’: ‘137’, ‘Boulder-Request-Id’: ‘HSpSfr2RL7g8luUw0puZVaZqDninAO7OlF_T4YAH7BA’, ‘Expires’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘0EGoY-xhz9x9-7Un21-pxKAr97Pvrx_4VuUMkLTmW0k’}): '{\n “type”: “urn:acme:error:invalidEmail”,\n “detail”: “DNS problem: SERVFAIL looking up MX for richinsconsulting.com”,\n “status”: 400\n}'
2016-10-06 02:01:02,185:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 689, in obtain_cert
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 206, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 191, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 118, in register
regr = perform_registration(acme, config)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 148, in perform_registration
return acme.register(messages.NewRegistration.from_data(email=config.email))
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 98, in register
response = self.net.post(self.directory[new_reg], new_reg)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 652, in post
return self._check_response(response, content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 568, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:invalidEmail :: The provided email for a registration was invalid :: DNS problem: SERVFAIL looking up MX for richinsconsulting.com


#2

In my research thus far I’ve come across this issue for bolder in gitbub issues. https://github.com/letsencrypt/boulder/issues/1197 that status that checks should be done on both A records and MX Records and RFC state that MX should fallback to an A record but I only have MX Records for the mail portion of my dns domain name. Any A records used for for web hosting.

So this is where my research to resolve this is leading but if this is not needed than I would hope to have a reply that would save me going down a rabbit hole.


#3

I think this is an issue with your DNSSEC configuration. dnscheck.iis.se reports:

Inconsistent security for richinsconsulting.com - DS found at parent, but no DNSKEY found at child.

The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY records. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation.


#4

If that’s the case, that’s a very sad thing for me as near as I can tell there sin’t anyway for me to setup DNSSEC on name.com Sure I can had DNSSEC records (https://www.name.com/support/articles/205439058-DNSSEC?keyword=DNSSEC) but there is no auto-managed DNSSEC Setup via name.com

I would like to have DNSSEC fully compliant and setup without having to switch registrars.


#5

FWIW, Let’s Encrypt works both with and without DNSSEC, it just chokes on broken DNSSEC configurations (as it should, otherwise there would be no point in bothering with DNSSEC at all :smile:).

Not familiar with name.com, maybe someone else has a solution.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.