View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How to setup Certbot but getting CAA error
Log in to Ask a Question

How to setup Certbot but getting CAA error

Hi, each time I am trying to setup certbot to setup the TLS certificate I keep getting the error below.

Domain: www.raj302.com
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for raj302.com

I did setup a CAA record for my site as follows so i'm not sure if this is what causing this error.

Name: www
Tag: issuewild
Value: letsencrypt.org
TTL: 5 mins

Each time I run sudo certbot --apache , I get to pick which sites I want to certify which are raj302.com or www.raj302.com so I pick the second option and thats the error I keep getting above. I'm not sure what's is causing this error? Thanks!

9 Replies 

$ dig www.raj302.com CAA @ns1.linode.com

… returns nothing.

Is your DNS record really there?

To check you can go to https://manager.linode.com/dns and you should see the "zone" (your domain) - and it will be flagged with an error if there is one.

Even if not, you can click on "check" there to see if there are any issues - or click on "zone file" to see what data gets pushed into Linode's DNS servers.

Also note that AFAIK, Let's Encrypt only requires DNS validation for wildcard certificates (e.g. "*.foo.com").

If you don't need wildcard names in your certificate - you can use web server validation which is easier and faster esp. if you have a web server running already.

Everything looks good when I click on zone and check. So I should check "issue" instead of issue wild then?

I'm still not seeing any CAA records for your domain - when I query for them with dig tool as I showed above.

Now Linode updates their "master servers" every 15 minutes (from what is configured for all the clients they have) - and I've seen this work.

I'd the check zone file it's pretty easy to read.

Mine has these entries:

@            CAA 0 issue "comodoca.com"
@            CAA 0 issue "letsencrypt.org"

The "@" above are like "www" except it means "no www or anything" - it's for the domain itself.

And if I do dig kman.mobi CAA I get this:

;; ANSWER SECTION:
kman.mobi.        86400   IN  CAA 0 issue "letsencrypt.org"
kman.mobi.        86400   IN  CAA 0 issue "comodoca.com"

So I should check "issue" instead of issue wild then?

If you're issuing a wildcard cert - it should be "issuewild" but I don't think you are.

I don't think that's the issue - but who knows. Perhaps worth trying.

It's worrisome that your already configured CAA isn't visible:

https://dnschecker.org/#CAA/www.raj302.com

By the way, are you able to make DNS queries from the machine (Linode)?

What if you do dig kman.mobi CAA - do you get anything (I posted above the reference output).

Or let's say dig google.com (you should get an IPv4 address)?

If not I'd check /etc/resolv.conf it should have a bunch of name servers.

An easy way to set them up is - again in the old console, manager.linode.com - to click on your linode, then on its "configuration profile" and enable "Auto-configure Networking" near the bottom of the page. Then reboot.

Yes, so I did try dig kman.mobi CAA, I get a similar output to yours show below.

;; ANSWER SECTION:
kman.mobi. 86400 IN CAA 0 issue "comodoca.com"
kman.mobi. 86400 IN CAA 0 issue >"letsencrypt.org"

Anyways I tried running certbot, for both raj302.com and www.raj302.com and for the raj302.com option, I get the error below:

Failed authorization procedure. raj302.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for raj302.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: raj302.com
    Type: connection
    Detail: dns :: DNS problem: SERVFAIL looking up A for raj302.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client.

I checked the A records on the dns site and it checks out.

My zone file is showing

@ 300 A Public IP
raj302.com 300 A Public IP
www 300 A Public IP
raj302.com 300 CAA 0 issue "letsencrypt.org"

The zone file looks different from yours though. I'm not sure what else could be going on here. Could it be since I made some changed today to my domain it will take time to propogate but as you said it only takes 15 mins.

raj302.com 300 A Public IP
raj302.com 300 CAA 0 issue "letsencrypt.org"

Oh.

If you want these to refer to raj302.com - then

raj302.com 300 A Public IP
raj302.com 300 CAA 0 issue "letsencrypt.org"

Should be

@ 300 A Public IP
@ 300 CAA 0 issue "letsencrypt.org"

Where the "@" mean "this entry refers to the domain name itself, without adding another name part in front".

In DNS Manager (recommend the old one, manager.linode.com) - just edit these two entries and make "subdomain" empty, i.e. remove "raj302.com".

This will mean "no sub-name, just the domain name".

Then wait for next 15 minute mark + 2-3 minutes and:

1 - Check the zone file, should have "@" in first position not repeated "raj302.com"

2 - Check if the entries get served

dig raj302.com A @ns1.linode.com

dig raj302.com CAA @ns1.linode.com

3 - After 5-10 minutes more they should propagate to @8.8.8.8

Also for the actual error you're getting.

Here I'm doing a basic "A" query here (IP address) on Linode's name server:

$ dig raj302.com A @ns1.linode.com

; <<>> DiG 9.11.2 <<>> raj302.com A @ns1.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6005
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Note the "status: REFUSED".

And Google DNS:

~$ dig raj302.com A @8.8.8.8

; <<>> DiG 9.11.2 <<>> raj302.com A @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7994
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

That's your "status: SERVFAIL".

I wonder if repeating the domain name in host name as you're doing here:

raj302.com 300 A Public IP

is causing Linode's DNS system to get confused somehow. Maybe someone from Linode will want to investigate.

But I really hope that fixing the two entries with domain repeating in host name - making host name blank - should fix things, and it's the right thing to do in any case.

Thanks man! I was able to get to work finally using your suggestion. It definitely was an issue with having multiple entries for the A part, so now I just have 1 and left the host name blank along with the CAA record.

Cool!

You still may want to open a support ticket to have this looked at because…

… an entry like this (what you had originally):

raj302.com 300 CAA 0 issue "letsencrypt.org"

although wrong,

  • is valid and represents a CAA record for host name raj302.com.raj302.com

  • should not have resulted in failures of Linode's DNS server

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct