Symptoms
When attempting to use the AutoSSL feature to issue a new SSL or renew the existing SSL certificate for a given domain, you encounter errors similar to the following in the AutoSSL log.
Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
9:36:35 PM WARN DNS query error (mail.domain.tld/CAA): SERVFAIL (2)
WARN DNS query error (domain.tld/NS): SERVFAIL (2)
WARN DNS query error (domain.tld/CAA): SERVFAIL (2)
WARN DNS query error (subdomain.domain.tld/NS): SERVFAIL (2)
Description
The errors usually mean that at least one of the authoritative name servers associated with the domain is not accessible for various reasons. AutoSSL needs to be able to query name servers recursively; if it cannot, AutoSSL orders will fail.
Workaround
You must ensure that the name serves are responsive and return the correct DNS value for the domain. AutoSSL cannot complete the Domain Control Validation (DCV) step to generate an AutoSSL certificate for the domain if the domain's nameservers are not returning the correct DNS values.
A few common causes are:
- The server hosting the name servers might not be running.
- The UDP port 53 to the server is not accessible.
- The server might not be accessible because it's behind NAT.
- The name servers might be misconfigured and unable to respond to the DNS queries for the domain.
- The nameservers listed at the registrar don't match the domain's NS records.
- The resolvers used by the local server are unresponsive or cannot locate the domain's nameservers.
- Various other network and non-network-related issues
The best way to identify the cause is to query the servers directly and see what is returned in the response.
- Find the registered nameservers for the domain.
[root@server ~]cPs# whois domain.tld | grep Name
Domain Name:domain.tld
Name Server:ns1.domain.tld
Name Server:ns2.domain.tld
[root@server ~]cPs# - Check the NS records for the domain.
[root@server ~]cPs# dig domain.tld +short NS
ns1.domain.tld.
ns2.domain.tld. - Verify that the registered nameservers and the NS records agree.
- Query the nameservers directly and see what is returned. Here we query @ns2.domain.tld, but you may query any of the listed nameservers.
[root@server ~]cPs# dig @ns2.domain.tld domain.tld +short
; <<>> DiG 9.10.6 <<>> @ns2.domain.tld domain.tld +short
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached
In the above example, the query to ns2.domain.tld timed out, which indicates that either the nameserver is unresponsive or there is a network issue preventing communication between the local server and the nameserver.
Please note that you can use dig with the +trace flag for a more detailed check. The trace flag will ensure that dig performs a recursive lookup that starts at the root nameservers and does not use any DNS caching.
[root@server ~]cPs# dig +trace cpanel.net +short
NS e.root-servers.net. from server 192.168.0.1 in 144 ms.
NS h.root-servers.net. from server 192.168.0.1 in 144 ms.
NS m.root-servers.net. from server 192.168.0.1 in 144 ms.
NS b.root-servers.net. from server 192.168.0.1 in 144 ms.
NS k.root-servers.net. from server 192.168.0.1 in 144 ms.
NS i.root-servers.net. from server 192.168.0.1 in 144 ms.
NS d.root-servers.net. from server 192.168.0.1 in 144 ms.
NS c.root-servers.net. from server 192.168.0.1 in 144 ms.
NS f.root-servers.net. from server 192.168.0.1 in 144 ms.
NS a.root-servers.net. from server 192.168.0.1 in 144 ms.
NS j.root-servers.net. from server 192.168.0.1 in 144 ms.
NS l.root-servers.net. from server 192.168.0.1 in 144 ms.
NS g.root-servers.net. from server 192.168.0.1 in 144 ms.
A 208.74.121.151 from server 208.74.121.52 in 38 ms.
A 208.74.123.84 from server 208.74.121.52 in 38 ms.