CAA record prevents issuing the certificate: SERVFAIL

[larso]

Automatic certificate renewal failed for a Let's Encrypt certificate failed (for domain sa-design.nl on VPS) and when I try to get automatic certificate from ACME provider (Let's Encrypt) I get the error CAA record prevents issuing the certificate: SERVFAIL.

I have no CAA record for this domain and all DNS Settings and DNSSEC seems fine when I check this at https://dnssec-analyzer.verisignlabs.com/.

I've tried adding a CAA record for Let's Encrypt but this does not help.I still get the same error, so I removed it again.

I've checked all settings on the VPS but I don't know what's wrong. Any suggestions that could help to solve this?

 

[Richard G]

Any suggestions that could help to solve this?

You have an invalid hostname. That is not an FQDN hostname and out of experience I know sometimes Letsencrypt will trip over this.

First change your hostname to a valid one, which is not just your domain name, but for example server.yourdomain.com.

So change to server.sa-design.nl (or something like that, preferably not mail.sa-design.nl) and update the rDNS/PTR record accordingly.

Also, if you have setup DNSSEC or CAA record, be sure to copy this to your external DNS since you seem not to run your own nameservers.

Then try again and see if the error persists.

 

[larso]

The invalid hostname was the problem indeed! After changing the hostname of the server the certificate was issued without any problems.

So problem resolved. Thank you!

Regards,
Lars