Skip to main content

AutoSSL Fails With "WARN DNS query error (domain.tld/NS): SERVFAIL (2)" Error

Ehsan Dowlatshah
  • Updated

Symptoms

When attempting to use the AutoSSL feature to issue a new SSL or renew the existing SSL certificate for a given domain, you encounter errors similar to the following in the AutoSSL log.

Verifying “cPanel (powered by Sectigo)”’s authorization on 3 domains via DNS CAA records …
9:36:35 PM WARN DNS query error (mail.domain.tld/CAA): SERVFAIL (2)
WARN DNS query error (domain.tld/NS): SERVFAIL (2)
WARN DNS query error (domain.tld/CAA): SERVFAIL (2)
WARN DNS query error (subdomain.domain.tld/NS): SERVFAIL (2)

 

Description

The errors usually mean that at least one of the authoritative name servers associated with the domain is not accessible for various reasons. This can be caused by different issues. A few common causes are: 

  • The server hosting the name servers might not be running.
  • The UDP port 53 to the server is not accessible.
  • The server might not be accessible because it's behind NAT.
  • The name servers might be misconfigured and unable to respond to the DNS queries for the domain.
  • The nameservers listed at the registrar don't match the domain's NS records.
  • The resolvers used by the local server are unresponsive or cannot locate the domain's nameservers.
  • Various other network and non-network-related issues

Whatever the reason, the cPanel server is not able to query the remote authoritative server and get a response and as a result, AutoSSL fails. The best way to confirm this issue is to query the servers directly and see what is returned in the response.

  1. Find the registered nameservers for the domain. 
    [root@server ~]cPs# whois domain.tld | grep Name
    Domain Name:domain.tld
    Name Server:ns1.domain.tld
    Name Server:ns2.domain.tld
    [root@server ~]cPs#
  2. Check the NS records for the domain. 
    [root@server ~]cPs# dig domain.tld +short NS
    ns1.domain.tld.
    ns2.domain.tld.
    [root@server ~]cPs#
  3. Verify that the registered nameservers and the NS records agree.
  4. Query the nameservers directly and see what is returned. Here we query @ns2.domain.tld, but you may query any of the listed nameservers. 
    [root@server ~]cPs# dig @ns2.domain.tld domain.tld +short
    ; <<>> DiG 9.10.6 <<>> @ns2.domain.tld domain.tld +short
    ; (2 servers found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    [root@server ~]cPs#

In the above example, the query to ns2.domain.tld timed out, which indicates that either the nameserver is unresponsive or there is a network issue preventing communication between the local server and the nameserver.

Workaround

Make sure that the name serves are responsive and return the correct DNS value for the domain. AutoSSL will not be able to complete the Domain Control Validation (DCV) step to generate an AutoSSL certificate for the domain if the domain's nameservers are not returning the correct DNS values. For more information on DCV, refer to this page:

DNS DCV vs HTTP DCV

Related articles