DEV Community

Arseny Zinchenko
Arseny Zinchenko

Posted on • Originally published at rtfm.co.ua on

Let's Encrypt: SSL and the "SERVFAIL looking up CAA for domain.com" error

One of mine website stopped working with the “Connection reset” error.

NGINX configs seem to be correct, and other sites on the same server are working.

NGINX also gave nothing, no errors, PHP-FPM also are good.

Let’s check the website with the curl:

$ curl -Iv [https://example.setevoy.org.ua/](https://example.setevoy.org.ua/)
* Trying 139.59.205.180:443…
* Connected to example.setevoy.org.ua (139.59.205.180) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to example.setevoy.org.ua:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to example.setevoy.org.ua:443
Enter fullscreen mode Exit fullscreen mode

The cause

Because the error above are reported from the SSL_connect call, then the first thing to check was the website's certificate, although if it was expired, then the error must be different.

Still, go to try to renew the certificate:

root@rtfm-do-production-d10:/etc/nginx/conf.d# certbot renew
…
Attempting to renew cert (example.setevoy.org.ua) from /etc/letsencrypt/renewal/example.setevoy.org.ua.conf produced an unexpected error: Failed authorization procedure. example.setevoy.org.ua (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for setevoy.org.ua — the domain’s nameservers may be malfunctioning. Skipping.
…
“DNS problem: SERVFAIL looking up CAA for setevoy.org.ua — the domain’s nameservers may be malfunctioning.” — okay, now we’ve got more details and a new error.
Enter fullscreen mode Exit fullscreen mode

But why the error appears from the top-level domain — setevoy.org.ua? And why Let’s Encrypt checking the CAA record? Previously, everything was working without it.

Anyway, let’s go to check the DNS of the domain — find them:

root@rtfm-do-production-d10:/etc/nginx/conf.d# whois setevoy.org.ua | grep nserver
nserver: ns-1083.awsdns-07.org
nserver: ns-2030.awsdns-61.co.uk
nserver: ns-271.awsdns-33.com
nserver: ns-721.awsdns-26.net
Enter fullscreen mode Exit fullscreen mode

Check, if a server returns an answer:

root@rtfm-do-production-d10:/etc/nginx/conf.d# dig @ns-1083.awsdns-07.org setevoy.org.ua +short
139.59.205.180
Enter fullscreen mode Exit fullscreen mode

All is good here.

Go to the Google, and find a discussion тут>>>, and this topic from Namecheap.

Go to check if I have CAA on the root domain:

Um… But Google has it:

root@rtfm-do-production-d10:/etc/nginx/conf.d# dig google.com CAA +short
0 issue “pki.goog”
Enter fullscreen mode Exit fullscreen mode

And rtfm.co.ua, by the way, also hasn’t it, and everything is working here (yet). Maybe, it will break on the next renew, will see.

The solution

Go to the Route53, add a new record:

Choose its type as CAA, set its value as 0 issue "letsencrypt.org" to allow issuing SSL certificates from Let's Encrypt:

Check, if DNS were updated:

root@rtfm-do-production-d10:/etc/nginx/conf.d# dig setevoy.org.ua CAA +short
0 issue “letsencrypt.org”
Enter fullscreen mode Exit fullscreen mode

Try to run certbot renew again:

root@rtfm-do-production-d10:/etc/nginx/conf.d# certbot renew
…
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.setevoy.org.ua/fullchain.pem (success)
Enter fullscreen mode Exit fullscreen mode

Done.

Originally published at RTFM: Linux, DevOps, and system administration.

Discussion (0)