Could not execute your request - CAA record prevents issuing the certificate: SERVFAIL

[rambo19997]

I have a simple website with domain www.planetapp.duckdns.org.
I would try to install let's encrypt SSL certificate but it return the error "Could not execute your request - CAA record prevents issuing the certificate: SERVFAIL".
Anyone have had this problem?
I have seen a lot of threads but I can't find any solution.

 

[Active8]

CAA record prevents issuing the certificate:

Wat is your CAA record in your DNS ?

 

[rambo19997]

Sorry but I'm new in this world and I have to study a lot of things in dns ecc.
My website was previously hosted on a website with Plesk pannel and I clicked on "generate ssl let's encrypt certificate" and it works correcly so my website was https and not http.
Why this time don't work like Plesk?

 

[rambo19997]

I have not set any AAA record, because i'm using duckdns.org so I changed only record A to point to my new hosting server with Directadmin

 

[wtptrs]

Which common names are you trying to generate a certificate for? Only planetapp.duckdns.org and www.planetapp.duckdns.org?

 

[rambo19997]

Which common names are you trying to generate a certificate for? Only planetapp.duckdns.org and www.planetapp.duckdns.org?

Yes, only planetapp.duckdns.org and www.planetapp.duckdns.org

 

[Active8]

TLS Certificate expiration​

The certificate expires February 18, 2023 (365 days from today)

Huh ? LE only provides 90 days right?, where is this coming from ?
You have problem with the nameservers, I can't check your domain for dns errors !
Try your self intodns.com

 

[wtptrs]

Might be a DNSSEC issue. Could you try either disabling DNSSEC on your domain zone or adding the following CAA record?

planetapp.duckdns.org. CAA 0 issue "letsencrypt.org"

 

[rambo19997]

I have solved the problem.
The problem is related to duckdns.
Duckdns is a free dynamic DNS service that allows you to point a subdomain under duckdns.org but you can't add zone or CAA record.
I solved buying a domain and pointing to my vps with record A
Thanks Active8 and wtptrs, you are very expert in this sector.

 

[factor]

If you are using a CAA record please be sure you have the feature on.

cd /usr/local/directadmin
./directadmin set dns_caa 1
service directadmin restart

 

[rambo19997]

Using duckdns.org the problem persist.
Try yourself to create a record with a duckdns.org and point to a VPS.
It doesn't work

 

[factor]

Try yourself to create a record with a duckdns.org

Not sure if this was for me. I was merely pointing out if you are wanting to use CAA records in DA you need to turn on the feature.

I would not use Dynamic dns features personally. DA has it own DNS system installed already.

buying a domain and pointing to my vps with record A

for sure the way to go.

 

[Richard G]

Duckdns is a free dynamic DNS service that allows you to point a subdomain under duckdns.org but you can't add zone or CAA record.

Odd... then duckdns is one of the few which prevents it.
I got a subdoman on dhs.org and other dynamic DNS services and don't have issues creating a letsencrypt certificate.