TLS certificate provisioning fails in secondary validation

I’m trying to setup a Mail-in-a-Box v61.1 instance and the errors on the status check page are:

MTA-STS policy is missing: STSFetchResult.NONE

The TLS (SSL) certificate for this domain is currently self-signed. You will get a security warning when you check or send email and when visiting this domain in a web browser (for webmail or static site hosting).

So I went to the cert provisioning page and tried to get Let’s Encrypt certs. Multiple trials give this cryptic error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: autoconfig.newiz.net
  Type:   dns
  Detail: During secondary validation: DNS problem: query timed out looking up A for autoconfig.newiz.net; DNS problem: query timed out looking up AAAA for autoconfig.newiz.net

  Domain: autodiscover.newiz.net
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up A for autodiscover.newiz.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for autodiscover.newiz.net - the domain's nameservers may be malfunctioning

  Domain: www.newiz.net
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up A for www.newiz.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.newiz.net - the domain's nameservers may be malfunctioning

  Domain: mta-sts.newiz.net
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up A for mta-sts.newiz.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for mta-sts.newiz.net - the domain's nameservers may be malfunctioning

  Domain: newiz.net
  Type:   dns
  Detail: During secondary validation: DNS problem: SERVFAIL looking up A for newiz.net - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for newiz.net - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

And I re-ran the script, rebooted the machine, also tried this post and re-ran&rebooted but the error persists.

The DNS does resolve for diagnosis tools like Google DNS, DNDviz, Let’s Debug, and Unbound Test. Also I can visit the home page and receive emails (registered for this forum with the default MaiB alias). Since the certbot command is managed by MiaB I think I should ask here first.

Help much appreciated!

Did you set glue records for your ipv6?

• net to newiz.net: Authoritative AAAA records exist for ns1.box.newiz.net, but there are no corresponding AAAA glue records.

Thanks for pointing this out! The registrar’s (Namecheap) web panel doesn’t allow ipv6 address for that but I’ve opened a ticket.

However, certbot also failed in looking up A records. I guess should not rely on the AAAA glue records?

Thanks again!

The registrar added the AAAA glue record, and certs are successfully installed now.

For the record, the registrar recommendation in the MiaB docs does make sense, since those seem to have better self-service support for ipv6 glue records.

Consider setting up a secondary nameserver to avoid a single point of failure.

See here

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.