We are currently experiencing issuance delays with Sectigo SSL Certificates. This is causing an extended delay in ticket response times.
Please see and follow https://go.cpanel.net/UPS417 for updates as we issue them.

Skip to main content

AutoSSL Fails With "WARN DNS query error (domain.tld/NS): SERVFAIL (2)" Error

Ehsan Dowlatshah
  • Updated

Symptoms

When attempting to use the AutoSSL feature to issue a new SSL or renew the existing SSL certificate for a given domain, you get this error in the AutoSSL error logs (in /var/cpanel/logs/autossl/):

Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
9:36:35 PM WARN DNS query error (mail.domain.tld/CAA): SERVFAIL (2)
WARN DNS query error (domain.tld/NS): SERVFAIL (2)
WARN DNS query error (domain.tld/CAA): SERVFAIL (2)
WARN DNS query error (subdomain.domain.tld/NS): SERVFAIL (2)


You can also access the relevant error log from this interface:
WHM >> SSL/TLS >> Manage AutoSSL >> Logs >> Select a log to view >> View Logs

 

Description

This usually means that at least one of the authoritative name servers associated with the domain (domain.tld) is not accessible for various reasons. This can be caused by different issues, to name just a few common ones: 

  • The server hosting the name servers might not be running.
  • The UDP port 53 to the server is not accessible.
  • The server might not be accessible because it's behind NAT (Refer to this article.).
  • The name servers might be misconfigured and not able to respond to the DNS queries for the domain.
  • Various other network and non-network-related issues

Whatever the reason, the cPanel server is not able to query the remote authoritative server and get a response and as a result, AutoSSL fails.

The best way to confirm this issue is to query the servers directly and see what is returned in response. First, you need to find out what the authoritative name servers for the domain are by running one of these commands:

whois domain.tld | grep Name
Domain Name:domain.tld
Name Server:ns1.domain.tld
Name Server:ns2.domain.tld

OR

dig domain.tld +short NS
ns1.domain.tld.
ns2.domain.tld.


Now you can query these servers directly and see what is returned by using this command (Here we query this server @ns2.domain.tld):

dig @ns2.domain.tld domain.tld +short
; <<>> DiG 9.10.6 <<>> @ns2.domain.tld domain.tld +short
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

 
As you can see when querying one of the name servers (ns2.domain.tld) we do not get anything in response, and our query fails with a connection timed out; no servers could be reached error. This more than likely means that the server is not up, which we can confirm by simply pinging the server like this:

ping ns2.domain.tld
PING ns2.domain.tld (202.47.80.140) 56(84) bytes of data.
^C
--- ns2.domain.tld ping statistics ---
88 packets transmitted, 0 received, 100% packet loss, time 87002ms

In this case, our suspicions are confirmed. However, there could be many other reasons why a server is not responsive and in most cases, the issue is usually at the network level.

Workaround

Make sure that the name serves are responsive and are returning the correct DNS value for the domain; otherwise, AutoSSL will not be able to complete the Domain Control Validation (DCV) step to generate an AutoSSL certificate for the domain. For more information on DCV refer to this page:

DNS DCV vs HTTP DCV

Related articles

Comments

0 comments

Article is closed for comments.