CAA record prevents issuing the certificate: SERVFAIL - Let`s encrypt

[kapaweb]

Hello!
I have a VPS with centos 6.9 and the new domains who added redirected to https with that error:

Secure Connection Failed

An error occurred during a connection to www.stylianos.gr. PR_CONNECT_RESET_ERROR

When try to create a new certificate (Let`s encrypt) I got in Directadmin that error:

Cannot Execute Your Request
"CAA record prevents issuing the certificate: SERVFAIL "

I have try to update bind with that command:

yum -y install dnsmasq bind bind-libs bind-utils

Do you have any idea what might be wrong?
Thank you!

 

[Richard G]

PR_CONNECT_RESET_ERROR

Points to a connection reset on ssl for some reason.

Sometimes a ./build all works.

cd /usr/local/directadmin/custombuild ./build all

However, since you're on Centos 6, I don't know which version DA you're running. If it's an old version this command could mess op things for you.

Maybe then you could try the ./build rewrite_confs command.

 

[CrazyFrog]

I tried to check your CAA records and I get no SERVFAIL at this point. Let's Encrypt is required to check for CAA records: they can define which CA's are allowed to create certificates for you. If you don't have a CAA record, any CA can create certificates. But if the nameserver returns SERVFAIL, it is not allowed to create certificates. Do you run your own DNS server? If not, you should contact the DNS server operator for your domain.

# host -t caa www.stylianos.gr.
www.stylianos.gr has no CAA record

# host -t caa stylianos.gr.
stylianos.gr has no CAA record

The situation looks good now though. Is Let's Encrypt working for you again?

SERVFAIL can point at DNSSEC problems, but I don't see a DS record at your domain, so I don't think you are using DNSSEC.