Symptoms
When attempting to use the AutoSSL feature to issue a new SSL or renew the existing SSL certificate for a given domain, you encounter errors similar to the following in the AutoSSL log:
CONFIG_TEXT: Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
9:36:35 PM WARN DNS query error (one.example.com/CAA): SERVFAIL (2)
WARN DNS query error (example.com/NS): SERVFAIL (2)
WARN DNS query error (example.com/CAA): SERVFAIL (2)
WARN DNS query error (two.example.com/NS): SERVFAIL (2)
Cause
The errors usually indicate that at least one of the domain's authoritative nameservers is unavailable for various reasons. AutoSSL needs to be able to query nameservers recursively; if it cannot, AutoSSL orders will fail. A few common causes are as follows:
- The server hosting the name servers might not be running.
- The UDP port 53 to the server is not accessible.
- The server might not be accessible because it's behind NAT.
- The name servers might be misconfigured and unable to respond to the DNS queries for the domain.
- The nameservers listed at the registrar don't match the domain's NS records.
- The resolvers used by the local server are unresponsive or cannot locate the domain's nameservers.
- Various other network and non-network-related issues
The best way to identify the cause is to query the servers directly and see what is returned in the response.
Note: You will need to replace example.com with your domain, and ns1.example.com and ns2.example.com with your domain's nameservers.
Find the registered nameservers for the domain.
# whois example.com | grep Name
Domain Name:example.com
Name Server:ns1.example.com
Name Server:ns2.example.comCheck the NS records for the domain.
# dig domain.tld +short NS
ns1.example.com.
ns2.example.com.- Verify that the registered nameservers and the NS records agree.
Query the nameservers directly and see what is returned. Here we query @ns2.example.com, but you may query any of the listed nameservers.
# dig @ns2.exanple.com example.com +short
; <<>> DiG 9.10.6 <<>> @ns2.example.com example.com +short
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reachedIn the above example, the query to ns2.example.com timed out, which indicates that either the nameserver is unresponsive or there is a network issue preventing communication between the local server and the nameserver.
Note: You can use dig with the +trace flag for a more detailed check. The trace flag will ensure that dig performs a recursive lookup that starts at the root nameservers and does not use any DNS caching.
# dig +trace cpanel.net +short
NS e.root-servers.net. from server 192.168.0.1 in 144 ms.
NS h.root-servers.net. from server 192.168.0.1 in 144 ms.
NS m.root-servers.net. from server 192.168.0.1 in 144 ms.
NS b.root-servers.net. from server 192.168.0.1 in 144 ms.
NS k.root-servers.net. from server 192.168.0.1 in 144 ms.
NS i.root-servers.net. from server 192.168.0.1 in 144 ms.
NS d.root-servers.net. from server 192.168.0.1 in 144 ms.
NS c.root-servers.net. from server 192.168.0.1 in 144 ms.
NS f.root-servers.net. from server 192.168.0.1 in 144 ms.
NS a.root-servers.net. from server 192.168.0.1 in 144 ms.
NS j.root-servers.net. from server 192.168.0.1 in 144 ms.
NS l.root-servers.net. from server 192.168.0.1 in 144 ms.
NS g.root-servers.net. from server 192.168.0.1 in 144 ms.
A 208.74.121.151 from server 208.74.121.52 in 38 ms.
A 208.74.123.84 from server 208.74.121.52 in 38 ms.
Resolution
You must ensure that the nameservers are responsive and return the correct DNS value for the domain. AutoSSL cannot complete the Domain Control Validation (DCV) step to generate an AutoSSL certificate for the domain if the domain's nameservers are not returning the correct DNS values.
Comments
0 comments
Article is closed for comments.