SERVFAIL (2) SSL HOSTNAME
I'm trying to obtain SSL certificates for my domains (hostname.com
and subdomain.hostname.com
) using Let's Encrypt, but I'm encountering an issue. The checkallsslcerts
command fails with the error DNS query error (example.com/CAA): SERVFAIL (2)
.
I've reviewed the DNS configuration for the subdomain (subdomain.hostname.com
) and it appears to be correct. However, Let's Encrypt seems unable to validate my control over the main domain (hostname
.com
).
I've researched the problem and found some potential causes, such as a missing or misconfigured CAA record on the main domain, issues with the nameservers, or firewall restrictions.
I've tried some solutions, but so far I haven't been able to resolve the issue. I'm starting to get frustrated and I need help finding a solution.
Any suggestions on how I can fix this problem?
-
Hey there! If you run this command on the server does it return the correct IP address for the hostname?
/scripts/cpdig your.servers.hostname A
0 -
Thank you very much for responding. If I run it with the full hostname, it returns the correct IP. If I run the domain name but without the subdomain, it does not return an IP. Does Lets Encrypt require that the domain (and not just the hostname subdomain) point to the same IP?
0 -
No, there is no requirement for the domain and hostname to share an IP address.
Is there anything odd related to that domain when you scan it with a tool like intodns.com? If not, it's usually best to create a ticket for these issues as that seems to provide better and faster results than trying to guess at potential problems over the Forum.
0 -
Update: I have added glue records for the NS, and I also created a new DNS zone on the server for the hostname domain (in addition to the DNS zone that already existed for the subdomain hostname). This way, Let's Encrypt stopped returning a 400 error and was able to validate the domain and generate a new SSL certificate for the server.
0 -
The issue with the glue records likely would have showed up with a tool such as intodns.com, which is always a great way to ensure there are no issues with any portion of your DNS configuration.
0
Please sign in to leave a comment.
Comments
5 comments