Unable to renew after enabling dnssec

hi, after enabling dnssec i can’t renew my certificate.
but if i disable dnssec its work without problem!!

this is my steps:
1 - command: sudo certbot --nginx -d mehrtakhfif.com -d www.mehrtakhfif.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/mehrtakhfif.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mehrtakhfif.com
http-01 challenge for www.mehrtakhfif.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.mehrtakhfif.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for www.mehrtakhfif.com - the domain’s nameservers may be malfunctioning


  • The following errors were reported by the server:

    Domain: www.mehrtakhfif.com
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for
    www.mehrtakhfif.com - the domain’s nameservers may be

2 - dig +dnssec @n.ns.arvancdn.com mehrtakhfif.com caa


; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> +dnssec @n.ns.arvancdn.com mehrtakhfif.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26698
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f0b3edcbb93c1475 (echoed)
;mehrtakhfif.com. IN CAA

mehrtakhfif.com. 7200 IN NSEC \000.mehrtakhfif.com. A NS SOA PTR MX TXT AAAA SRV RRSIG NSEC TLSA
mehrtakhfif.com. 7200 IN RRSIG NSEC 5 2 7200 20200408124501 20200331094501 43881 mehrtakhfif.com. XHWs3aJqnqlHb2wCML6eM1GK7KD4Ht3TQovrsE+/8MrJ5dEJi7Weg4Sr XVwtS9OXH4uryXadyk41dVBVTzwSPZPA+zeHhgiKdlRzClBwstrWxFSx dWHOtUTeB11BKgGbOc39LNzRbQuJ/j/Hb/OhsHNL2Prnt7Oqb7Hx11Pw Wfk=mehrtakhfif.com. 3600 IN SOA n.ns.arvancdn.com. hostmaster.arvancloud.com. 1585657360 86400 7200 604800 7200
mehrtakhfif.com. 3600 IN RRSIG SOA 5 2 3600 20200408124501 20200331094501 43881 mehrtakhfif.com. qTX7NQWjV/9uwsb8s/tp+J1t9dkPEUjPQvzHzzRJ0Vsfeib4nf2VPMpv CvwFh+lAk5PuF7Icey7z+tBx8JDsKzsAl6pIlLYKD/TRreo8YAMCH5Fd IBxZDuDie4j2BErR6jX0nDr2/61NKmCyaFELc7AS8RB8GHQQmTkDi7pQ t2w=

;; Query time: 6 msec
;; WHEN: Tue Mar 31 12:45:06 UTC 2020
;; MSG SIZE rcvd: 584

3 - and finally test on https://letsdebug.net/
All OK!


No issues were found with mehrtakhfif.com. If you are having problems with creating an SSL certificate, please visit the Let’s Encrypt Community forums and post a question there.

My domain is: mehrtakhfif.com

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): ubuntu/18.04

My hosting provider, if applicable, is: arvancloud.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

Hi @meelad

there is a check of your domain, ~~10 minutes old - https://check-your-website.server-daten.de/?q=mehrtakhfif.com

With an interesting result:


Normally, only one RRSIG 47 (NSEC) should be sent.
But you have two. One with a reduced bitmap RRSIG, NSEC, two different:


That’s curious. Bitmap -> these entries exist.

So the first row says: You don’t have a CAA. The second -> you have one.

May be a bug in my tool. May be a delayed result. You use ANYCAST.

  • Wait some minutes, try it again
  • add a CAA with mehrtakhfif.com as domain name.

Unboundtest - https://unboundtest.com/m/CAA/mehrtakhfif.com/HAKD2KYZ - is happy. NoData, NoError.

it’s a little bit confusing, so what i have to do right now?
you say: “add a CAA with mehrtakhfif.com as domain name.”
where i have to add a caa?

In your dns management - j.ns.arvancdn.com is your name server.

The result should be visible in the #CAA section - https://check-your-website.server-daten.de/?q=mehrtakhfif.com#caa

sorry, but still i don’t know what to do?
i haven’t access to any CAA record in my DNS

Sorry, missing “n”.

If your dns provider doesn’t support CAA entries, that’s bad. But then you can’t create one.

Something seems to be wrong with your NODATA responses. I can’t tell what, though. It’s not specific to CAA – other query types, like www.mehrtakhfif.com AAAA or MX also fail.

If you turn up Unbound’s logging, it says “NODATA response failed to prove NODATA status with NSEC/NSEC3”.

Knot Resolver and can’t resolve them either.

(Conversely, BIND and PowerDNS can. I might have an idea why: They may query for DS, to which the authoritative servers incorrectly say that there is an insecure delegation(!), so they turn off DNSSEC validation for the tree and don’t have as much reason to care about other problems.)

For now you should consider switching to a different DNS service or turning off DNSSEC. You’re not getting much out of it anyway.

(It’s not relevant to this, but they also ought to fix handling of unknown EDNS options and types. And stop using algorithm 5.)

Looks like a Cloudflare-style NSEC black lies implementation. Cloudflare calls the type bitmap approach “DNS shotgun”. If you query for nonexistent type X, it says “every (supported) type except for X exists”. If you query for nonexistent type Y, it says that “every (supported) type except for Y exists”.

It’s valid as long as you do it right and each response is internally consistent. It’s effectively the same thing as what would happen if the user kept adding and deleting records, which is of course a perfectly valid (while weird) thing to do.

1 Like

Ah, thanks, didn’t know.

And there is such an answer

DS-Query in the parent zone has a valid NSEC RR as result with the domain name between 
the NSEC-Owner "www.mehrtakhfif.com" and the NextOwner "\000.www.mehrtakhfif.com".

with \000.

I use Xml internal (external check -> database stored procedure), an older check crashed because of an Ascii(0). So I’ve added such a replacement.

i can’t switch to different DNS service right now, so i guess turning off the DNSSEC is only option

thank you

thanks for your help

@mnordhoff @JuergenAuer
yesterday before i’m going to turn off DNSSEC try my chance for one last time.
i deleted all previous certificates and update my certbot (0.27 -> 0.32) and then try to get certificate with DNS challenge with this command:

sudo certbot --server https://acme-v02.api.letsencrypt.org/directory -d example.com --nginx --preferred-challenges dns-01 certonly

everything works now, i hope this help someone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.