CAA record prevents issuing the certificate: SERVFAIL

[ErikdL]

I see, there are more threads about this error: CAA record prevents issuing the certificate: SERVFAIL

The thing in my case is: Where is that CAA record? I can't find it with any of the tools on the web?

I use Centos7, DA2, Lets Encrypt SSL, each domain has its own.

# dig caa duivenblogs.nl

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> caa duivenblogs.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38126
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;duivenblogs.nl. IN CAA

;; AUTHORITY SECTION:
duivenblogs.nl. 3600 IN SOA nszero1.axc.nl. hostmaster.duivenblogs.nl. 2021012703 10800 3600 604800 3600

;; Query time: 31 msec
;; SERVER: 93.180.70.22#53(93.180.70.22)
;; WHEN: Thu Jan 28 13:23:23 CET 2021
;; MSG SIZE rcvd: 114

Where to start if no CAA records can be found??

The domains are hosted on a VPS, s1.ewdl.nl
With ping this hostname resolves. But with DNSCHECKER no results.
The mail domain, ewdl.nl is hosted on another server.

https://dnschecker.org/all-dns-records-of-domain.php?query=s1.ewdl.nl&rtype=ANY

Anyone any idea???


Thnx
Erik

 

[k1l0b1t]

I see, there are more threads about this error: CAA record prevents issuing the certificate: SERVFAIL

The thing in my case is: Where is that CAA record? I can't find it with any of the tools on the web?

I use Centos7, DA2, Lets Encrypt SSL, each domain has its own.



Where to start if no CAA records can be found??

The domains are hosted on a VPS, s1.ewdl.nl
With ping this hostname resolves. But with DNSCHECKER no results.
The mail domain, ewdl.nl is hosted on another server.



Anyone any idea???


Thnx
Erik

as far as I know something related to dnssec.

Ask the registrar to remove any DS records (Seems to be a bug at your registrar, had the same issue there )

 

[ErikdL]

as far as I know something related to dnssec.

Ask the registrar to remove any DS records (Seems to be a bug at your registrar, had the same issue there )

I contacted them. Have no service contract so they can't help me..

Results of: DNSSEC Analyzer - duivenblogs.nl (verisignlabs.com) :

No problems found?? I Guess?

 

[k1l0b1t]

Are you using their nameservers? Or the ones on your vps?

 

[ErikdL]

Are you using their nameservers? Or the ones on your vps?

Theirs. I have none active on my VPS.

 

[k1l0b1t]

Hmm, try disabeling dnssec

 

[ErikdL]

I got no idea how? I can add/change DNS records in my User panel on the website of my hosting provider.
In DirectAdmin there is no option to en-/disable DNSSEC or Key.
I can't find any option to disable DNSSEC.

 

[k1l0b1t]

At the registrar

 

[ErikdL]

I can't figure it out.

 

[factor]

no issues at intodns

intoDNS: ewdl.nl - check DNS server and mail server health

intoDNS: Checking health and configurtion of DNS server and mail server for domainewdl.nl.

intodns.com

 

[factor]

DId you migrate for cPanel?

 

[ErikdL]

No, I run DA for years now.
In November i could get Lets Encrypt certificates for multiple domains.
Now i get mails every day with CAA record prevents issuing the certificate: SERVFAIL for those domains.
Besides this, I can't get new certificates for new domain names like duivenblogs.nl, DA gives the same error.

 

[factor]

are you on cloudlinux?

Let's Encrypt error: CAA record prevents issuing the certificate: SERVFAIL.

I got a strange error whilst creating an SSL certificate for a new domain: CAA record prevents issuing the certificate: SERVFAIL. Any idea's how to fix this? Thanks

forum.directadmin.com

 

[ErikdL]

Is a VPS. Has its own IP4.
I do get some IPv6 errors if I do the test on https://dnsviz.net/d/duivenblogs.nl/dnssec/
But my VPS has no Ipv6 IP. I can't that working, but that's another issue...

 

[k1l0b1t]

Is a VPS. Has its own IP4.
I do get some IPv6 errors if I do the test on https://dnsviz.net/d/duivenblogs.nl/dnssec/
But my VPS has no Ipv6 IP. I can't that working, but that's another issue...

Odd, what does /var/log/messages say?

 

[factor]

Is lego and latest letsencrypt installed?

cd /usr/local/directadmin/custombuild
./build set_fastest
./build update
./build letsencrypt
./build lego

 

[ErikdL]

Odd, what does /var/log/messages say?

Can't find anything strange.
Exept may be1 IP which is in the same range as my server IP. That one is blocked.

 

[ErikdL]

Is lego and latest letsencrypt installed?

cd /usr/local/directadmin/custombuild
./build set_fastest
./build update
./build letsencrypt
./build lego

Just did to be sure, doesn't make a difference :S

 

[factor]

Just did to be sure, doesn't make a difference :S

humm. its going to be something simple.. and we will all go ahhh dang..

 

[factor]

CAA record prevents issuing the certificate: SERVFAIL

I have this when i try to add domains - SSL Certificates Error: Could not execute your request CAA record prevents issuing the certificate: SERVFAIL What are the solutions ? Kind Regards, Mattias V

forum.directadmin.com

Let's Encrypt error: CAA record prevents issuing the certificate: SERVFAIL.

I got a strange error whilst creating an SSL certificate for a new domain: CAA record prevents issuing the certificate: SERVFAIL. Any idea's how to fix this? Thanks

forum.directadmin.com

Let's Encrypt error: CAA record prevents issuing the certificate: SERVFAIL.

I got a strange error whilst creating an SSL certificate for a new domain: CAA record prevents issuing the certificate: SERVFAIL. Any idea's how to fix this? Thanks

forum.directadmin.com