Let's Encrypt error: CAA record prevents issuing the certificate: SERVFAIL.

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
36
Location
Belgium
I got a strange error whilst creating an SSL certificate for a new domain:
CAA record prevents issuing the certificate: SERVFAIL.

Any idea's how to fix this? Thanks
 

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
36
Location
Belgium
Hmm, strange... There seem to be DS records, execpt no DNSSEC enabled for that domain. And the DNSSEC option has dissapeared from the DNS admin menu...
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,359
Location
LT, EU
Just remove DS on domain registrars end then, and it should start to work :)
 

AndreasP

New member
Joined
Jul 4, 2019
Messages
2
Hello

I am getting the same error. I moved from one host to another, and this error coming up now. I find this odd they the client needs to do this when I never had to do this.

Something seems off here.

Could it be a setting on the server?
 

annc

Verified User
Joined
Jun 10, 2008
Messages
44
Same problem here.
Very simple DNS config for domain, no any CAA records. When I try to renew certificate I get:

"
CAA record prevents issuing the certificate: SERVFAIL
__________

My fault - sorry, not valid DNSSEC for my domain :)

"
 
Last edited:

kristian

Verified User
Joined
Nov 4, 2005
Messages
113
Location
Norway
Had the same issue for a domain we moved between servers (using admin backup/restore). For some reason the DNS zone on the target server wasn't signed properly on restore. Creating and removing a dummy entry in the zone caused it to be regenerated and signed, which resolved the CAA error for me.
 
Top