Question

Letsencrypt verification failing for naked domain

Domain netsqservice.com served from godaddy.

Setup nameserver to point to DO.

NS1.DIGITALOCEAN.COM
NS2.DIGITALOCEAN.COM
NS3.DIGITALOCEAN.COM

Setup Forwarding 302 to https://www.netsqservice.com from godaddy.

DO Zone file

$ORIGIN www.netsqservice.com.
$TTL 1800
www.netsqservice.com. IN SOA ns1.digitalocean.com. hostmaster.www.netsqservice.com. 1473723299 10800 3600 604800 1800
www.netsqservice.com. 1800 IN NS ns1.digitalocean.com.
www.netsqservice.com. 1800 IN NS ns2.digitalocean.com.
www.netsqservice.com. 1800 IN NS ns3.digitalocean.com.
www.netsqservice.com. 1800 IN A 162.243.140.9
www.www.netsqservice.com. 1800 IN CNAME www.netsqservice.com.

DO apache conf-

<VirtualHost *:80>
    ServerAlias netsqservice.com
    RedirectMatch permanent ^/(.*) https://www.netsqservice.com/$1
</VirtualHost>


<VirtualHost *:80>
    ServerAdmin admin@netsqservice.com
    ServerName netsqservice.com
    DocumentRoot /var/www/netsqservice.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/netsqservice-error.log
    CustomLog ${APACHE_LOG_DIR}/netsqservice-access.log combined
</VirtualHost>

command -

certbot-auto --apache -d netsqservice.com -d www.netsqservice.com

error -

Failed authorization procedure. netsqservice.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for netsqservice.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: netsqservice.com Type: connection Detail: DNS problem: SERVFAIL looking up A for netsqservice.com

    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

Note:

When I tried with certbot-auto --apache -d www.netsqservice.com , it worked. The naked domain has some problem in verifying with letsencrypt. Any help is highly appreciated.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

char soFebruary 20, 2018

the same error:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: juancarlosmx.xyz Type: connection Detail: DNS problem: SERVFAIL looking up A for juancarlosmx.xyz

    Domain: www.juancarlosmx.xyz Type: connection Detail: DNS problem: SERVFAIL looking up CAA for juancarlosmx.xyz

    To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

///////////////////////// **In my domain record is: **

  • type: A
  • Hostname: www.juancarlosmx.xyz
  • Value: 45.55.79.187

**How fix error? **

Napoleon ArouldasDecember 6, 2017

I am also having the same problem, but in my case A record points to a ip of my droplet… But I am also getting the same issue. I am desparate for the solution for someone to debug domain : grandappstudio.com

here is the dns zone dump

grandappstudio.com.	1535 IN	A 139.59.14.143
grandappstudio.com.	1535 IN	NS ns1.digitalocean.com.
grandappstudio.com.	1535 IN	NS ns2.digitalocean.com.
grandappstudio.com.	1535 IN	NS ns3.digitalocean.com.
grandappstudio.com.	1535 IN	SOA ns1.digitalocean.com. hostmaster.grandappstudio.com. (
				1508912052 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				1800       ; minimum (30 minutes)
				)
grandappstudio.com.	1535 IN	MX 1 aspmx.l.google.com.
grandappstudio.com.	1535 IN	MX 5 alt1.aspmx.l.google.com.
grandappstudio.com.	1535 IN	MX 5 alt2.aspmx.l.google.com.
grandappstudio.com.	1535 IN	MX 10 alt3.aspmx.l.google.com.
grandappstudio.com.	1535 IN	MX 10 alt4.aspmx.l.google.com.

Pls help

Matt NordhoffSeptember 13, 2016

Look at your DNS zone dump – your zone is called www.netsqservice.com.. Indeed, you even have an A record for www.www.netsqservice.com.. netsqservice.com. is outside of your zone, and as no separate netsqservice.com. zone currently exists on DigitalOcean’s nameservers, queries for netsqservice.com. (or, say, xyz.netsqservice.com.) return an error.

I’m not experienced with how precisely to do it in DigitalOcean’s DNS interface, but you need to rename your zone to netsqservice.com., or perhaps create a new zone called netsqservice.com. and delete your current www.netsqservice.com. zone.