Able to issue against CNAME, but not the actual server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --webroot -w /var/www/html -d -d

It produced this output:

[root@myproxy1 ~]# certbot certonly --webroot -w /var/www/html -d -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain
Challenge failed for domain
http-01 challenge for
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version):
Apache HTTP Server

Name : httpd
Arch : x86_64
Version : 2.4.6
Release : 90.el7

The operating system my web server runs on is (include version):

NAME=“Red Hat Enterprise Linux Server”
VERSION=“7.7 (Maipo)”

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.36.0

This problem started in the April time frame (when multi endpoint validation was implemented, or at least coincidentally in that time frame). Validation/issuing became far more hit or miss at that time. At that time we were using and dns txt record validation method. This no longer works at all, even when using the staging endpoint. As a result, I’ve switched to certbot as I’m banging my head against a wall and we are close to expiration.

As you can see we get SERVFAIL errors due to CAA records. At least this is the most frequent error. Somtimes it’s for A record. Sometimes we get: Detail: No valid IP addresses found for And way every once in a while it will actually work, against staging only (using the command above). is a cname to (the actual web server). We are trying to issue a cert with with as a dns alternate name. Again, prior to April time frame this worked.

Today I discoverd, if I leave off the ‘’ I am able to issue a cert (staging and prod) for just ‘’. However, I am unable to issue a cert for only ‘’ or for both in one cert no matter the order.

Errors have been very inconsistent. Any help is appreciated.

1 Like

The site has some errors (timeouts) in its results:

However, the log messages are quite technical and as I’m not an unbound (the DNS resolver used by Let’s Encrypt by the way) expert, I don’t know how to interpret them.

A possible interesting thread I found: How to reproduce CAA SERVFAIL? Works for me, doesn't for LE staging or prod Seems to be a matter of 0x20 (capitalization) randomization not going correctly.

1 Like

Hi @stargelcm

checking your domain some of your name servers are flacky - see

Most are good, but two ipv6 addresses are fatal.

No TCP-support (authoritative name servers must support TCP):

X Fatal error: Nameserver doesn’t support TCP connection: / 2620:0:2b30:304::96: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: / 2620:0:2b30:304::32: Timeout

And critical:

X Nameserver Timeout checking Echo Capitalization: / 2620:0:2b30:304::96
X Nameserver Timeout checking Echo Capitalization: / 2620:0:2b30:304::32
X Nameserver Timeout checking EDNS512: / 2620:0:2b30:304::96
X Nameserver Timeout checking EDNS512: / 2620:0:2b30:304::32

A not working Echo Capitalization is fatal, that’s the DNS 0x20 problem.

Ah - I see: Rechecked with Unbound, first a Servfail, now

it works, some seconds later, the next Servfail.

Check, why these two ipv6 addresses are so bad.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.