SSL error SERVFAIL looking up A

alljav · August 2, 2024, 2:09am

Hello there, I have a problem enabling letscrypt SSL, giving me the error SERVFAIL looking up A for server.domainname.com - the domain’s nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for server.domainname.com - the domain’s nameservers may be malfunctioning

I have correctly configured the DNS and they are propagated from my domain provider, I have carried out this process on other vps and it has worked without problems, however on this specific one it is not allowing me to do it, I have also carried out the procedures indicated in the documentation and the forums but there is no solution, any ideas?

"detail": "DNS problem: SERVFAIL looking up A for server2.cpe-facturacioncdperu.com - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for server2.cpe-facturacioncdperu.com - the domain's nameservers may be malfunctioning",
"status": 400

},

linkp · August 2, 2024, 4:30am

I’m not so sure about that.

server2.cpe-facturacioncdperu.com | DNSViz

sahsanu · August 2, 2024, 4:31am

Hi @alljav,

I’m sorry but I don’t think so. You have configured 10 NS servers for your domain.

$ dig @e.gtld-servers.net cpe-facturacioncdperu.com ns +noall +auth +add
cpe-facturacioncdperu.com. 172800 IN    NS      ns1.server5.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns2.server5.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns1.server20.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns2.server20.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns1.server19.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns2.server19.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns1.server6.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns2.server6.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns1.server2.cpe-facturacioncdperu.com.
cpe-facturacioncdperu.com. 172800 IN    NS      ns2.server2.cpe-facturacioncdperu.com.
ns1.server5.cpe-facturacioncdperu.com. 172800 IN A 161.132.40.200
ns2.server5.cpe-facturacioncdperu.com. 172800 IN A 161.132.40.200
ns1.server20.cpe-facturacioncdperu.com. 172800 IN A 161.132.48.202
ns2.server20.cpe-facturacioncdperu.com. 172800 IN A 161.132.48.202
ns1.server19.cpe-facturacioncdperu.com. 172800 IN A 161.132.41.31
ns2.server19.cpe-facturacioncdperu.com. 172800 IN A 161.132.41.31
ns1.server6.cpe-facturacioncdperu.com. 172800 IN A 161.132.38.249
ns2.server6.cpe-facturacioncdperu.com. 172800 IN A 161.132.38.249
ns1.server2.cpe-facturacioncdperu.com. 172800 IN A 161.132.47.55
ns2.server2.cpe-facturacioncdperu.com. 172800 IN A 161.132.47.55

But not all of them are resolving your domain:

Example:

$ dig @161.132.40.200 server2.cpe-facturacioncdperu.com

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @161.132.40.200 server2.cpe-facturacioncdperu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8588
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 45cf0d63a7dbc5310100000066ac60f95e4966575976a807 (good)
;; QUESTION SECTION:
;server2.cpe-facturacioncdperu.com. IN  A

;; Query time: 179 msec
;; SERVER: 161.132.40.200#53(161.132.40.200) (UDP)
;; WHEN: Fri Aug 02 06:30:49 CEST 2024
;; MSG SIZE  rcvd: 90

You should fix that.

linkp · August 2, 2024, 5:13am

You also have each of your ns1 and ns2 names pointed at the same IPs as each other. That doesn’t serve any useful purpose.

Fawwal · August 2, 2024, 1:26pm

It’s a requirement that you have 2 name servers, and they can be the same IP address, while it’s not ideal for redundancy, it’s the minimum viable option for getting things to work properly.

linkp · August 2, 2024, 1:49pm

I know that it can be done. Over a couple of decades ago, when I was young and inexperienced, I, too, once resorted to such poor design shortcuts to avoid the effort of a proper redundant implementation. Whike I did quickly outgrew that bad practice, I only had one server at the time in an era of bare metal. You have five servers, not one, so you could configure them redundantly instead of using self-sabotaging shortcuts.

¯\(ツ)/¯

alljav · August 2, 2024, 2:39pm

Hello there, it is the only way I have found for subdomains of a domain for different vps and my problem is that I only have problems configuring this one, all the others I was able to generate the ssl with hestia for both the main and the corresponding subdomain, it is That’s why I’m turning to you, I’ve been looking to fix it for a few weeks now, do you have an idea how I could do it? Thanks

sahsanu · August 2, 2024, 10:17pm

Maybe you were lucky when issuing a certificate but you must fix the NS mess.

What I would do:

Remove all the NS servers and the glue records and add only two (right now doesn’t matter whether both NS point to the same server).

At your registrar:

cpe-facturacioncdperu.com -> ns1.cpe-facturacioncdperu.com -> glue record pointing to A.B.C.D
cpe-facturacioncdperu.com -> ns2.cpe-facturacioncdperu.com -> glue record pointing to A.B.C.D

At your Hestia Server A.B.C.D that will resolve requests for your main domain.

Create dns zone for cpe-facturacioncdperu.com:

This zone will have two NS records: ns1.cpe-facturacioncdperu.com and ns2.cpe-facturacioncdperu.com

This zone will also have two A records for both NS pointing to A.B.C.D

Now, if you want that the other Hestia servers resolve the zones serverX, then you must delegate the serverX subdomains to the others Hestia Servers.

I mean, if you want to delegate server19 to Hestia Server 161.132.41.31, in your main Hestia server, the one where you added the zone for cpe-facturacioncdperu.com you should add these records.

Two NS records for server19.cpe-facturacioncdperu.com pointing to ns1.server19.cpe-facturacioncdperu.com and ns2.server19.cpe-facturacioncdperu.com

And two A records ns1.server19.cpe-facturacioncdperu.com and ns2.server19.cpe-facturacioncdperu.com pointing to 161.132.41.31

Now in server19, you must add a dns zone for server19.cpe-facturacioncdperu.com and again, two NS records pointing to ns1.server19.cpe-facturacioncdperu.com and ns2.server19.cpe-facturacioncdperu.com and also two A records ns1.server19.cpe-facturacioncdperu.com and ns2.server19.cpe-facturacioncdperu.com pointing to 161.132.41.31

I know it can be confusing so here two screenshots with an example for your main domain and the delegation for server19.

Main server:

Delegated DNS Server server19:

alljav · August 3, 2024, 7:08pm

I’m going to try it, thank you so much

alljav · August 6, 2024, 8:48pm

It was very helful, thanks my friend, i solved it

system · September 5, 2024, 8:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.