Verification error details: During secondary validation: DNS problem: SERVFAIL

My domain is: isp3.bping.de

I ran this command: IDK

It produced this output:
Checking / creating certificate for isp3.bping.de
Using certificate path /etc/letsencrypt/live/isp3.bping.de
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/isp3.bping.de
[Do 25. Jul 17:31:19 CEST 2024] isp3.bping.de: Invalid status. Verification error details: During secondary validation: DNS problem: SERVFAIL look ing up CAA for isp3.bping.de - the domain's nameservers may be malfunctioning
[Do 25. Jul 17:31:19 CEST 2024] Please check log file for more details: /var/log/ispconfig/acme.log
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

My web server is (include version): Apache/2.4.61 (Debian)

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ispconfig 3.2.12

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh --version

v3.0.8

After I messed up my Ispconfig installtion I tried to renew my certificate. I already added a CAA entry, but this does not help.

1 Like

Your DNS setup is very confused. Asking the .de root servers for the nameserver for your domain says that your nameservers are from v-dns.de

>nslookup -type=NS bping.de. z.nic.de.
Server:  UnKnown
Address:  194.246.96.1

bping.de        nameserver = ns04.v-dns.de
bping.de        nameserver = ns02.v-dns.de
bping.de        nameserver = ns01.v-dns.de
bping.de        nameserver = ns03.v-dns.de
ns04.v-dns.de   internet address = 185.136.99.195
ns03.v-dns.de   internet address = 185.136.98.195
ns02.v-dns.de   internet address = 185.136.97.195
ns01.v-dns.de   internet address = 185.136.96.195
ns04.v-dns.de   AAAA IPv6 address = 2a06:fb00:1::4400
ns03.v-dns.de   AAAA IPv6 address = 2a06:fb00:1::4300
ns02.v-dns.de   AAAA IPv6 address = 2a06:fb00:1::4200
ns01.v-dns.de   AAAA IPv6 address = 2a06:fb00:1::4100

But then asking those nameservers says that your nameservers are from Cloudflare.

>nslookup -norecurse -type=NS bping.de. ns01.v-dns.de.
Server:  undefined.hostname.localhost
Address:  185.136.96.195

bping.de        nameserver = piers.ns.cloudflare.com
bping.de        nameserver = lia.ns.cloudflare.com

And Cloudflare doesn't seem to think that it's hosting your domain, as it returns REFUSED when asked.

>nslookup -norecurse -type=A isp3.bping.de. piers.ns.cloudflare.com.
Server:  piers.ns.cloudflare.com
Address:  172.64.35.16

*** piers.ns.cloudflare.com can't find isp3.bping.de.: Query refused

You need your domain name working first before you can get a certificate. The CAA record itself or lack thereof probably isn't a problem (having no record is fine, but adding one can help increase the security of your domain), but in order to check it Let's Encrypt has to contact your DNS server and right now it's getting different answers from different places about where to check, some of which aren't right.

6 Likes

Thank you very much.
I had two NS records for the domain bping.de (piers.ns.cloudflare.com &
lia.ns.cloudflare.com). I don't remember why I added them, but it was working for years with this setup. I removed those 2 entries 48 hours ago. So I don't get why
ns01.v-dns.de is still listing them. But I assume time will solve my problem now.

2 Likes

I doubt that time will fix anything [by itself].

You should ensure the proper authoritative servers are listed in your domain.
[that can usually be done at the domain registrars' web site]

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.