Unable to renew certificate with error SERVFAIL lookup up A

I was not able to renew one of my clients’s SSL certificate, what’s wrong with it? Thanks.

Attempting to renew cert (www.tpeg.com.hk) from /etc/letsencrypt/renewal/www.tpeg.com.hk.conf produced an unexpected error: Failed authorization procedure. www.tpeg.com.hk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.tpeg.com.hk. Skipping.

Something bad is happening when Let's Encrypt tries to resolve your domain's records.

A previous thread looks very similar but I wasn't able to relate the specific issue to your domain:

Perhaps it is because none of your nameservers actually return NS records for your domains, but this is speculation. I think you may need to wait somebody from Let's Encrypt to take a look.

I don’t think that’s the problem. It’s a configuration error, but Unbound can usually tolerate it. I don’t remember specifically checking with Let’s Encrypt, though.

Let’s Encrypt sends queries with random capitalization for security reasons. The domain’s nameservers aren’t designed to support that: they return lowercase responses.


Usually that would be okay… Unbound would automatically send a few lowercase queries, and if the responses matched, it would accept them.

But the responses don’t match.


For ns1.72dns.com, most of the authoritative nameservers return a set of 3 IPv4 addresses, but one of them returns 3 different IPv4 addresses.


For ns2.72dns.com, it’s a CNAME to ns2.idc1.cn. That’s improper and may disqualify it immediately. If not, it’s disqualified because, again, the authoritative nameservers return different sets of IPv4 addresses.

The DNS provider needs to change some, though not all, of those things, before Let’s Encrypt will be able to resolve the zone.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.