Let's Encrypt error: CAA record prevents issuing the certificate: SERVFAIL.

k1l0b1t

Verified User
Joined
May 10, 2020
Messages
526
Location
Belgium
I got a strange error whilst creating an SSL certificate for a new domain:
CAA record prevents issuing the certificate: SERVFAIL.

Any idea's how to fix this? Thanks
 
Hmm, strange... There seem to be DS records, execpt no DNSSEC enabled for that domain. And the DNSSEC option has dissapeared from the DNS admin menu...
 
Just remove DS on domain registrars end then, and it should start to work :)
 
Hello

I am getting the same error. I moved from one host to another, and this error coming up now. I find this odd they the client needs to do this when I never had to do this.

Something seems off here.

Could it be a setting on the server?
 
Same problem here.
Very simple DNS config for domain, no any CAA records. When I try to renew certificate I get:

"
CAA record prevents issuing the certificate: SERVFAIL
__________

My fault - sorry, not valid DNSSEC for my domain :)

"
 
Last edited:
Had the same issue for a domain we moved between servers (using admin backup/restore). For some reason the DNS zone on the target server wasn't signed properly on restore. Creating and removing a dummy entry in the zone caused it to be regenerated and signed, which resolved the CAA error for me.
 
Tried the suggestion of Kristian but that did not work. I have 2 domain pointers. When I remove those letsencrypt is successfull. Re-adding the pointers result in a CAA error. My guess is that the domains that I use as a pointer are having an old ip address which I no longer have and are still on the hoster dns cluster. Just made a ticket to let him check that. To be continued.
 
That will surely be it. When you generate a certificate for multiple domains (i.e. a main domain and some domain pointers), you have to make sure DNS settings (IP, CAA record) for all the domains listed in the certificate are valid. You can check these domains yourself, here for example:

 
My problem is solved. I had the nameservers for the pointers still pointing to the old server.
 
I get same problem with domain .net but the other domain is not problem.
anyone know this issue?
 
My problem is solved by
Code:
yum -y update dnsmasq bind bind-libs bind-utils


I got this message

Code:
 yum -y update dnsmasq bind bind-libs bind-utils
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from CLN.
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                                                | 7.9 kB  00:00:00     
 * cloudlinux-x86_64-server-7: xmlrpc.cln.cloudlinux.com
 * epel: kartolo.sby.datautama.net.id
cloudlinux-imunify360                                                                                                                                                               | 2.7 kB  00:00:00     
cloudlinux-x86_64-server-7                                                                                                                                                          | 1.3 kB  00:00:00     
Package(s) dnsmasq available, but not installed.
No packages marked for update
 
I got this message

Code:
 yum -y update dnsmasq bind bind-libs bind-utils
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from CLN.
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                                                                                                | 7.9 kB  00:00:00    
* cloudlinux-x86_64-server-7: xmlrpc.cln.cloudlinux.com
* epel: kartolo.sby.datautama.net.id
cloudlinux-imunify360                                                                                                                                                               | 2.7 kB  00:00:00    
cloudlinux-x86_64-server-7                                                                                                                                                          | 1.3 kB  00:00:00    
Package(s) dnsmasq available, but not installed.
No packages marked for update
Hello,
Please check if the bind is set in this line exclude /etc/yum.conf
If installed, you need to remove it.
And after that try using this command:
Code:
yum -y install dnsmasq bind bind-libs bind-utils
 
Back
Top