[SOLVED] Let's Encrypt SERVFAIL error looking up A

When I first installed mailinabox, it was v0.27 and just gave the helpful error message of “Something went wrong” when I tried to provision a certificate.

After the upgrade (still haven’t gotten the cert) it said it failed because I hadn’t supplied --agreetos and --email flags before running noninteractively. I added those to the cron job. It stilled failed.

I don’t know what’s changed (still no cert), but now it gives this error:

Provisioning TLS certificates for box.<url>, www.<url>.
error: box.<url>, www.box.<url>:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for box.<url>
http-01 challenge for www.box.<url>
Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.box.<url> (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.box.<url>, box.<url> (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for box.overturn.space
 - The following errors were reported by the server:

   Domain: www.box.<url>
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for

   Domain: box.<url>
   Type:   None
   Detail: DNS problem: SERVFAIL looking up A for box.<url>

The control panel says there are no problems with DNS, and all the webapps work, and I can send and receive mail, so clearly it’s working enough, so I don’t know what wrong and everyone who’s having a Let’s Encrypt problem is having a different problem, or is trying to renew, not get a certificate in the first place.

Please help.

Edit: I did accept the ACME EULA during install (I even reran sudo mailinabox to confirm that I did. I am removing the DNSSEC record from my domain registrar per this: https://letsencrypt.org/docs/caa/
which I got from this post: DNS problem: SERVFAIL looking up CAA

I checked the admin panel again to try to manually provision a certificate instead of waiting for the email to come in a 3am and it said there were package upgrades, so I did that, then I did a dist-upgrade to upgrade the three it held back, then I rebooted the VPS since the admin panel said that the packages were still not upgraded. Now I cannot connect the the admin panel. I can ssh into the server, which seems to be running fine. But now Firefox can't establish a connection to <IP>. Maybe DNS is having a problem because I removed the DS record (I didn’t think leaving it up would be a problem, since I added it before I found out that DNSSEC isn’t available for my domain. So.).

I don’t know.
This link:

makes it sound like it has something to do with authoritative nameservers, but it’s not really the problem I’m having (I don’t think? I let the box handle nameservers) and every other post on this forum with the word “SERVFAIL” involves CAA, port 53, or “nsd”, whatever that is.

Edit 1: Also, I checked the systems status page (admin panel), reran sudo mailinabox and rebooted. I just wanted to add that I did in fact try those first, just like the maintenance guide said. I am now try the curl command used for updating.

Edit 2: No dice. sudo mailinabox andcurl completed without user input (I tried both (the first again) after rebooting the box), because I already have an account with Let’s Encrypt. Note that I had to accept the EULA earlier today when I reran sudo mailinabox the first time. Please let this be a DNS-needs-to-propogate issue.

It’s all public info I guess so here’s my latest idea:

stevie@debian:~$ dig

; <<>> DiG 9.10.3-P4-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54512
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1280
;	IN	A


;; Query time: 59 msec
;; WHEN: Tue Aug 07 23:23:08 EDT 2018
;; MSG SIZE  rcvd: 89

So I should be able to access the admin panel. Unless authority 0 means something bad, but I tried the actual domain name and it mapped to the IP, so :man_shrugging:

My desktop email client connected just fine to the server, and the “confirm your account” emails for this forum (I wound up using a different email) finally went through.
Also, there’s a new post in /r/sysadmin.

It’s clearly time for bed. I’ll be back with news (hopefully good) tomorrow.

Nginx isn’t running. That’s why there’s no admin panel. But service nginx restart just says “fail”, systemctl isn’t a command, and don’t even know what the problem is anymore.

service nginx reload
service nginx restart
service nginx status

root@box:~# service nginx reload
 * Reloading nginx configuration nginx                                   [fail] 
root@box:~# service nginx restart
 * Restarting nginx nginx                                                [fail] 
root@box:~# service nginx status
 * nginx is not running


nginx -t

or sudo nginx -t if not using root. Paste the results.

root@box:~# nginx -t
nginx: [emerg] unexpected end of file, expecting ";" or "}" in /etc/nginx/sites-enabled/index.html:10
nginx: configuration file /etc/nginx/nginx.conf test failed

/etc/nginx/sites-enabled/index.html is blank.

The entire directory
is blank? or the file /etc/nginx/sites-enabled/index.html is blank? Meaning the file exists?

The file exists and is blank. There is nothing else in the directory.
Thanks for helping :slight_smile:

delete the file … then run nginx -t again …

disclaimer: I am using an older version of MiaB – and i do not have an index.html file there.

root@box:~# rm /etc/nginx/sites-enabled/index.html
root@box:~# nginx -t
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Still no admin panel though (just in case that’s your next question)

did you restart nginx with service nginx restart or service nginx start was the next question … followed by the one you answered. :slight_smile:

I just restarted nginx and now I have the admin panel :slight_smile: Now provisioning the certificate (the original problem) asks for a CAA record, which there are many threads on here, so hopefully I can fix that.

Thank you for your help!

YW … so are you back to where you started with the same error?

If so, try this …

If you want backup the /home/user-data/ssl directory somewhere safe then remove ALL it’s contents and run the ssl_certificates.py under the ~/mailinabox/management/ directory.

No, it said it needed a CAA record, not an A record like it wanted in the first place. I did try what you said though. But then I used the custom DNS page to add the CAA record, and it worked perfectly. :slight_smile:

Thanks for all your help :slight_smile:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.