Letsencrypt verification failing for naked domain

September 13, 2016 1.5k views
Let's Encrypt Apache Ubuntu 16.04

Domain served from godaddy.

Setup nameserver to point to DO.


Setup Forwarding 302 to from godaddy.

DO Zone file

$TTL 1800 IN SOA 1473723299 10800 3600 604800 1800 1800 IN NS 1800 IN NS 1800 IN NS 1800 IN A 1800 IN CNAME

DO apache conf-

<VirtualHost *:80>
    RedirectMatch permanent ^/(.*)$1

<VirtualHost *:80>
    DocumentRoot /var/www/
    ErrorLog ${APACHE_LOG_DIR}/netsqservice-error.log
    CustomLog ${APACHE_LOG_DIR}/netsqservice-access.log combined

command -

certbot-auto --apache -d -d

error -

Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for


  • The following errors were reported by the server:

Type: connection
Detail: DNS problem: SERVFAIL looking up A for

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.


When I tried with certbot-auto --apache -d , it worked. The naked domain has some problem in verifying with letsencrypt. Any help is highly appreciated.

2 Answers

Look at your DNS zone dump -- your zone is called Indeed, you even have an A record for is outside of your zone, and as no separate zone currently exists on DigitalOcean's nameservers, queries for (or, say, return an error.

I'm not experienced with how precisely to do it in DigitalOcean's DNS interface, but you need to rename your zone to, or perhaps create a new zone called and delete your current zone.

I am also having the same problem, but in my case A record points to a ip of my droplet.. But I am also getting the same issue. I am desparate for the solution
for someone to debug domain :

here is the dns zone dump 1535 IN A 1535 IN NS 1535 IN NS 1535 IN NS 1535 IN SOA (
                1508912052 ; serial
                10800      ; refresh (3 hours)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                1800       ; minimum (30 minutes)
                ) 1535 IN MX 1 1535 IN MX 5 1535 IN MX 5 1535 IN MX 10 1535 IN MX 10

Pls help

Have another answer? Share your knowledge.