Urn:acme:error:connection DNS problem / SERVFAIL

Help
1

I recently tried to renew a cert for the domain htcmayhem.com. All my local testing indicates the domain is fully reachable and I am able to access the challenge file manually. My DNS testing tool at https://r-1.ch/r1dns/dnscheck.cgi?domain=htcmayhem.com also reports no configuration problems.

Let’s Encrypt however returns the following excerpt (with multiple attempts):

  "identifier": {
    "type": "dns",
    "value": "www.htcmayhem.com"
  },
  "status": "invalid",
  "expires": "2017-07-06T19:37:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "DNS problem: SERVFAIL looking up A for www.htcmayhem.com",
        "status": 400
      },
      "validationRecord": [
        {
          "url": "http://www.htcmayhem.com/.well-known/acme-challenge/fs0VmHuiQHQzsr3eoOkSMw9nUIOUvZgN8TximMYNAjM",
          "hostname": "www.htcmayhem.com",
          "port": "80",
          "addressesResolved": [],
          "addressUsed": "",
          "addressesTried": []
        }
      ]
    }

Are there any known DNS issues at the moment?

2

Hi @R1CH,

It looks like there are a number of DNSSEC errors for your domain. Let’s Encrypt uses a recursive resolver that enforces DNSSEC and so you will need to resolve these errors in order to issue for this domain.

3

Thanks for spotting that, that would certainly cause it! Was the resolver changed recently to enforce DNSSEC? I’ve had no problem renewing this domain up until today.

EDIT: It appears this was an issue with our registrar / DNS host (Namecheap), our signatures were all invalid until I toggled DNSSEC support off / on again.

4

Happy to help :slight_smile: There haven't been any changes to our resolver recently.

EDIT: It appears this was an issue with our registrar / DNS host (Namecheap), our signatures were all invalid until I toggled DNSSEC support off / on again.

Glad to hear you were able to figure out a fix! :tada:

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.