Skip to main content

AutoSSL Fails With "WARN DNS query error (domain.tld/NS): SERVFAIL (2)" Error

Ehsan Dowlatshah
  • Updated

Symptoms


When attempting to use the AutoSSL feature to issue a new SSL or renew the existing SSL certificate for a given domain, you get this errro in the AutoSSL error logs (/var/cpanel/logs/autossl/): 

Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …

9:36:35 PM WARN DNS query error (mail.domain.tld/CAA): SERVFAIL (2)

WARN DNS query error (domain.tld/NS): SERVFAIL (2)

WARN DNS query error (domain.tld/CAA): SERVFAIL (2)

WARN DNS query error (subdomain.domain.tld/NS): SERVFAIL (2)


You can also access the relevant error log from this interface:

WHM >> SSL/TLS >> Manage AutoSSL >> Logs >> Select a log to view >> View Logs

 

Description:

This usually means that at least one of the authoritative name servers associated with the domain (domain.tld) is not accessible for various reasons. This can be caused by different issues, to just name a few common ones: 


- The server hosting the name servers might not be running


- The UDP port 53 to the server is not accessible

 

- The server might not be accessible because it's behind NAT (Please refer to this article )


- The name servers might just be misconfigured and not able to respond to the DNS queries for the domain


- And many other various network and non-network-related issues

 

Whatever the reason, the cPanel server is not able to query the remote authoritative server and get a response and as a result, AutoSSL is failing.

The best way to confirm this issue is to query the servers directly and see what is returned in response. First, you need to find out what the authoritative name servers for the domain are by running one of these commands:

whois domain.tld | grep Name

Domain Name:domain.tld
Name Server:ns1.domain.tld
Name Server:ns2.domain.tld

OR

dig domain.tld +short NS

ns1.domain.tld.
ns2.domain.tld.


Now you can query these servers directly and see what is returned by using this command: (Here we query this server @ns2.domain.tld)

dig @ns2.domain.tld domain.tld +short


; <<>> DiG 9.10.6 <<>> @ns2.domain.tld domain.tld +short

; (2 servers found)

;; global options: +cmd

;; connection timed out; no servers could be reached

 
As you can see when querying one of the name servers (ns2.domain.tld) we are not getting anything in response and our query fails with a "connection timed out; no servers could be reached" error. This more than likely means that the server is not even up, which we can confirm by simply pinging the server like this:

ping ns2.domain.tld


PING ns2.domain.tld (202.47.80.140) 56(84) bytes of data.

^C
--- ns2.domain.tld ping statistics ---

88 packets transmitted, 0 received, 100% packet loss, time 87002ms

In this case, our suspicions are confirmed. However, there could be many other reasons why a server is not responsive and in most cases, the issue is usually at the network-level. 

Workaround:

You need to make sure that the name serves are responsive and are returning the correct DNS value for the domain, otherwise, AutoSSL will not be able to complete the Domain Control Validation (DCV) step to generate an AutoSSL certificate for the domain. For more information on DCV you can refer to this link:

DNS DCV vs HTTP DCV

 

 

 

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.