Let's Encrypt error: CAA record prevents issuing the certificate: SERVFAIL.

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
72
Location
Belgium
I got a strange error whilst creating an SSL certificate for a new domain:
CAA record prevents issuing the certificate: SERVFAIL.

Any idea's how to fix this? Thanks
 

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
72
Location
Belgium
Hmm, strange... There seem to be DS records, execpt no DNSSEC enabled for that domain. And the DNSSEC option has dissapeared from the DNS admin menu...
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,479
Location
LT, EU
Just remove DS on domain registrars end then, and it should start to work :)
 

AndreasP

New member
Joined
Jul 4, 2019
Messages
2
Hello

I am getting the same error. I moved from one host to another, and this error coming up now. I find this odd they the client needs to do this when I never had to do this.

Something seems off here.

Could it be a setting on the server?
 

annc

Verified User
Joined
Jun 10, 2008
Messages
44
Same problem here.
Very simple DNS config for domain, no any CAA records. When I try to renew certificate I get:

"
CAA record prevents issuing the certificate: SERVFAIL
__________

My fault - sorry, not valid DNSSEC for my domain :)

"
 
Last edited:

kristian

Verified User
Joined
Nov 4, 2005
Messages
134
Location
Norway
Had the same issue for a domain we moved between servers (using admin backup/restore). For some reason the DNS zone on the target server wasn't signed properly on restore. Creating and removing a dummy entry in the zone caused it to be regenerated and signed, which resolved the CAA error for me.
 

Wanabo

Verified User
Joined
Jan 19, 2013
Messages
248
Tried the suggestion of Kristian but that did not work. I have 2 domain pointers. When I remove those letsencrypt is successfull. Re-adding the pointers result in a CAA error. My guess is that the domains that I use as a pointer are having an old ip address which I no longer have and are still on the hoster dns cluster. Just made a ticket to let him check that. To be continued.
 

wtptrs

Verified User
Joined
Jul 13, 2015
Messages
98
That will surely be it. When you generate a certificate for multiple domains (i.e. a main domain and some domain pointers), you have to make sure DNS settings (IP, CAA record) for all the domains listed in the certificate are valid. You can check these domains yourself, here for example:

 

Wanabo

Verified User
Joined
Jan 19, 2013
Messages
248
My problem is solved. I had the nameservers for the pointers still pointing to the old server.
 

aldhy

Verified User
Joined
Jul 20, 2019
Messages
16
I get same problem with domain .net but the other domain is not problem.
anyone know this issue?
 

aldhy

Verified User
Joined
Jul 20, 2019
Messages
16
My problem is solved by
Code:
yum -y update dnsmasq bind bind-libs bind-utils

I got this message

Code:
 yum -y update dnsmasq bind bind-libs bind-utils
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from CLN.
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                                                | 7.9 kB  00:00:00     
 * cloudlinux-x86_64-server-7: xmlrpc.cln.cloudlinux.com
 * epel: kartolo.sby.datautama.net.id
cloudlinux-imunify360                                                                                                                                                               | 2.7 kB  00:00:00     
cloudlinux-x86_64-server-7                                                                                                                                                          | 1.3 kB  00:00:00     
Package(s) dnsmasq available, but not installed.
No packages marked for update
 

skhristich

Verified User
Joined
Jul 15, 2019
Messages
16
I got this message

Code:
 yum -y update dnsmasq bind bind-libs bind-utils
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from CLN.
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                                                | 7.9 kB  00:00:00    
* cloudlinux-x86_64-server-7: xmlrpc.cln.cloudlinux.com
* epel: kartolo.sby.datautama.net.id
cloudlinux-imunify360                                                                                                                                                               | 2.7 kB  00:00:00    
cloudlinux-x86_64-server-7                                                                                                                                                          | 1.3 kB  00:00:00    
Package(s) dnsmasq available, but not installed.
No packages marked for update
Hello,
Please check if the bind is set in this line exclude /etc/yum.conf
If installed, you need to remove it.
And after that try using this command:
Code:
yum -y install dnsmasq bind bind-libs bind-utils
 
Top