netsq
By:
netsq

Letsencrypt verification failing for naked domain

September 13, 2016 1.9k views
Let's Encrypt Apache Ubuntu 16.04

Domain netsqservice.com served from godaddy.

Setup nameserver to point to DO.

NS1.DIGITALOCEAN.COM
NS2.DIGITALOCEAN.COM
NS3.DIGITALOCEAN.COM

Setup Forwarding 302 to https://www.netsqservice.com from godaddy.

DO Zone file 

$ORIGIN www.netsqservice.com.
$TTL 1800
www.netsqservice.com. IN SOA ns1.digitalocean.com. hostmaster.www.netsqservice.com. 1473723299 10800 3600 604800 1800
www.netsqservice.com. 1800 IN NS ns1.digitalocean.com.
www.netsqservice.com. 1800 IN NS ns2.digitalocean.com.
www.netsqservice.com. 1800 IN NS ns3.digitalocean.com.
www.netsqservice.com. 1800 IN A 162.243.140.9
www.www.netsqservice.com. 1800 IN CNAME www.netsqservice.com.

DO apache conf-

<VirtualHost *:80>
    ServerAlias netsqservice.com
    RedirectMatch permanent ^/(.*) https://www.netsqservice.com/$1
</VirtualHost>


<VirtualHost *:80>
    ServerAdmin admin@netsqservice.com
    ServerName netsqservice.com
    DocumentRoot /var/www/netsqservice.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/netsqservice-error.log
    CustomLog ${APACHE_LOG_DIR}/netsqservice-access.log combined
</VirtualHost>

command -

certbot-auto --apache -d netsqservice.com -d www.netsqservice.com

error -

Failed authorization procedure. netsqservice.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for netsqservice.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: netsqservice.com
Type: connection
Detail: DNS problem: SERVFAIL looking up A for netsqservice.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Note:

When I tried with certbot-auto --apache -d www.netsqservice.com , it worked. The naked domain has some problem in verifying with letsencrypt. Any help is highly appreciated.

Log In to Comment
3 Answers
mnordhoff September 13, 2016

Look at your DNS zone dump -- your zone is called www.netsqservice.com.. Indeed, you even have an A record for www.www.netsqservice.com.. netsqservice.com. is outside of your zone, and as no separate netsqservice.com. zone currently exists on DigitalOcean's nameservers, queries for netsqservice.com. (or, say, xyz.netsqservice.com.) return an error.

I'm not experienced with how precisely to do it in DigitalOcean's DNS interface, but you need to rename your zone to netsqservice.com., or perhaps create a new zone called netsqservice.com. and delete your current www.netsqservice.com. zone.

Reply
nepsdotin December 6, 2017

I am also having the same problem, but in my case A record points to a ip of my droplet.. But I am also getting the same issue. I am desparate for the solution
for someone to debug domain : grandappstudio.com

here is the dns zone dump

grandappstudio.com. 1535 IN A 139.59.14.143
grandappstudio.com. 1535 IN NS ns1.digitalocean.com.
grandappstudio.com. 1535 IN NS ns2.digitalocean.com.
grandappstudio.com. 1535 IN NS ns3.digitalocean.com.
grandappstudio.com. 1535 IN SOA ns1.digitalocean.com. hostmaster.grandappstudio.com. (
                1508912052 ; serial
                10800      ; refresh (3 hours)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                1800       ; minimum (30 minutes)
                )
grandappstudio.com. 1535 IN MX 1 aspmx.l.google.com.
grandappstudio.com. 1535 IN MX 5 alt1.aspmx.l.google.com.
grandappstudio.com. 1535 IN MX 5 alt2.aspmx.l.google.com.
grandappstudio.com. 1535 IN MX 10 alt3.aspmx.l.google.com.
grandappstudio.com. 1535 IN MX 10 alt4.aspmx.l.google.com.

Pls help

Reply
charmx February 20, 2018

the same error:

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: juancarlosmx.xyz
Type: connection
Detail: DNS problem: SERVFAIL looking up A for juancarlosmx.xyz

Domain: www.juancarlosmx.xyz
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for juancarlosmx.xyz

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

/////////////////////////
*In my domain record is: *

*How fix error? *

Reply
Have another answer? Share your knowledge.

Related Questions