Ubuntu 16.04 - DNS problem: SERVFAIL looking up MX

Attempting to do a certificate only, no install on Ubuntu 16.04 since I’m trying to install the certificate in Rancher 3 node cluster. Attempting to use letsencrypt certonly -d -d -d -d results in message stating DNS problem: SERVFAIL looking up MX. Below is the log

letsencrypt --version
letsencrypt 0.4.1

2016-10-06 02:00:23,271:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-10-06 02:00:23,272:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-06 02:00:23,272:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2016-10-06 02:00:23,272:DEBUG:letsencrypt.cli:Arguments: [’-d’, ‘’, ‘-d’, ‘’, ‘-d’, ‘’, ‘-d’, ‘’]
2016-10-06 02:00:23,273:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-10-06 02:00:23,276:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2016-10-06 02:00:23,316:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/letsencrypt/plugins/disco.py”, line 103, in prepare
self.initialized.prepare()
File “/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py”, line 56, in prepare
"Missing parts of webroot configuration; please set either "
PluginError: Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.
2016-10-06 02:00:23,317:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x7febb128a7d0>
Prep: True
2016-10-06 02:00:23,317:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x7febb128a7d0> and installer None
2016-10-06 02:00:31,164:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-10-06 02:00:31,168:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-06 02:00:31,519:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 280
2016-10-06 02:00:31,522:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Boulder-Request-Id’: ‘XSgsK9tIOnJflNRO_eOypUrXMwHy52EapDVdzERhUYM’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘1wXXq_fs1zE8DUZ4cR6KHqYTp5gp_5qJieuZVHQp73U’}. Content: '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2016-10-06 02:00:31,523:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Boulder-Request-Id’: ‘XSgsK9tIOnJflNRO_eOypUrXMwHy52EapDVdzERhUYM’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘1wXXq_fs1zE8DUZ4cR6KHqYTp5gp_5qJieuZVHQp73U’}): '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2016-10-06 02:00:31,523:DEBUG:root:Requesting fresh nonce
2016-10-06 02:00:31,523:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {}
2016-10-06 02:00:31,525:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-06 02:00:31,785:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-reg HTTP/1.1” 405 0
2016-10-06 02:00:31,788:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘91’, ‘Pragma’: ‘no-cache’, ‘Boulder-Request-Id’: ‘f2pMkUGZ3nDzevu4KPMMe_hXC8gznmBia8KHJdhOLMw’, ‘Expires’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:00:31 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘oAUJJy8-G7d_zJuKZvlrPS_I-fft_t7C3sXd6wSk39Q’}. Content: '‘
2016-10-06 02:00:31,788:DEBUG:acme.client:Storing nonce: "\xa0\x05\t’/>\x1b\xb7\x7f\xcc\x9b\x8af\xf9k=/\xc8\xf9\xf7\xed\xfe\xde\xc2\xde\xc5\xdd\xeb\x04\xa4\xdf\xd4"
2016-10-06 02:00:31,789:DEBUG:acme.jose.json_util:Omitted empty fields: authorizations=None, certificates=None, agreement=None, key=None
2016-10-06 02:00:31,790:DEBUG:acme.client:Serialized JSON: {“contact”: [“mailto:@richinsconsulting.com”], “resource”: “new-reg”}
2016-10-06 02:00:31,791:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ=None
2016-10-06 02:00:31,796:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None
2016-10-06 02:00:31,796:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “xyZHFtaCKg8BsPfl2ENnRuV4DsoGSume3ZZbHEc0NEC-yp7-D5dEzZA9viQJJpdonuFvtd-KliL5p5lPCJIKLHX5_I01824RMC8mqg-U31p1dMnG-J2vBTH7EXCpO4wQrRIc-NHVsKssvLPE0qLbkR_ZKrYTIfKmLpdzIxAV6Ak3sg4gP8QuyjMos80qoJxcYh34stX78WdARI5ZH4k2yBr8Bd-S7DD5EPXrmfNpgaGyOIDj69g-wIAyd_qOMxxPpzXJnR2_y6tkEui6lg4rNlHt-IQylY6dR1MJWux7Jz6L0pUzX2RKfJWTJCv6GWSKZJbKC9Y9DzPugMAGES5x0w”}}, “protected”: “eyJub25jZSI6ICJvQVVKSnk4LUc3ZF96SnVLWnZsclBTX0ktZmZ0X3Q3QzNzWGQ2d1NrMzlRIn0”, “payload”: “eyJjb250YWN0IjogWyJtYWlsdG86bm9jQHJpY2hpbnNjb25zdWx0aW5nLmNvbSJdLCAicmVzb3VyY2UiOiAibmV3LXJlZyJ9”, “signature”: “Y3_GMyqxmtI6rdGYx66697gGb59WHUOPMHUWlqZkspB2JuM_haEHa-HNvNPpB3YUvfOASQtHJ2PbgZU6ojrmuDtd1J_H8emQMbpCcrtdEgcHdv-2yxwiqHdAUaQaca3hNN5C0quVIWSbrVpjIQyBrpaO_468PFxhAEOFxGAszPFBX-CrjtHiNDYMd61Isg0fDYX4N2kCfU0TSjBTCujuMduBIPZYxfywuiu6kSDGnBynZJZ4Z_n3GHsWMnU4MGVMPn-tCxbyrcsFvxzueSX8Ag5zhSFZTMShduh7locV6VIQYww7IJ37tUaCagJyrW0qza4RkRO7254elDh9861beg”}’}
2016-10-06 02:00:31,798:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-06 02:01:02,181:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-reg HTTP/1.1” 400 137
2016-10-06 02:01:02,183:DEBUG:root:Received <Response [400]>. Headers: {‘Content-Length’: ‘137’, ‘Boulder-Request-Id’: ‘HSpSfr2RL7g8luUw0puZVaZqDninAO7OlF_T4YAH7BA’, ‘Expires’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘0EGoY-xhz9x9-7Un21-pxKAr97Pvrx_4VuUMkLTmW0k’}. Content: '{\n “type”: “urn:acme:error:invalidEmail”,\n “detail”: “DNS problem: SERVFAIL looking up MX for richinsconsulting.com”,\n “status”: 400\n}‘
2016-10-06 02:01:02,184:DEBUG:acme.client:Storing nonce: "\xd0A\xa8c\xeca\xcf\xdc}\xfb\xb5’\xdb
\xa9\xc4\xa0+\xf7\xb3\xef\xaf\x1f\xf8V\xe5\x0c\x90\xb4\xe6[I" 2016-10-06 02:01:02,184:DEBUG:acme.client:Received response <Response [400]> (headers: {‘Content-Length’: ‘137’, ‘Boulder-Request-Id’: ‘HSpSfr2RL7g8luUw0puZVaZqDninAO7OlF_T4YAH7BA’, ‘Expires’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Thu, 06 Oct 2016 02:01:02 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘0EGoY-xhz9x9-7Un21-pxKAr97Pvrx_4VuUMkLTmW0k’}): '{\n “type”: “urn:acme:error:invalidEmail”,\n “detail”: “DNS problem: SERVFAIL looking up MX for richinsconsulting.com”,\n “status”: 400\n}'
2016-10-06 02:01:02,185:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 689, in obtain_cert
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 206, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 191, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 118, in register
regr = perform_registration(acme, config)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 148, in perform_registration
return acme.register(messages.NewRegistration.from_data(email=config.email))
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 98, in register
response = self.net.post(self.directory[new_reg], new_reg)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 652, in post
return self._check_response(response, content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 568, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:invalidEmail :: The provided email for a registration was invalid :: DNS problem: SERVFAIL looking up MX for richinsconsulting.com

In my research thus far I’ve come across this issue for bolder in gitbub issues. https://github.com/letsencrypt/boulder/issues/1197 that status that checks should be done on both A records and MX Records and RFC state that MX should fallback to an A record but I only have MX Records for the mail portion of my dns domain name. Any A records used for for web hosting.

So this is where my research to resolve this is leading but if this is not needed than I would hope to have a reply that would save me going down a rabbit hole.

I think this is an issue with your DNSSEC configuration. dnscheck.iis.se reports:

Inconsistent security for richinsconsulting.com - DS found at parent, but no DNSKEY found at child.

The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY records. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation.

If that’s the case, that’s a very sad thing for me as near as I can tell there sin’t anyway for me to setup DNSSEC on name.com Sure I can had DNSSEC records (https://www.name.com/support/articles/205439058-DNSSEC?keyword=DNSSEC) but there is no auto-managed DNSSEC Setup via name.com

I would like to have DNSSEC fully compliant and setup without having to switch registrars.

FWIW, Let’s Encrypt works both with and without DNSSEC, it just chokes on broken DNSSEC configurations (as it should, otherwise there would be no point in bothering with DNSSEC at all :smile:).

Not familiar with name.com, maybe someone else has a solution.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.