While trying to generate a certificate for CloudFront, I’m now receiving an error informing the CAA check has failed, as there isn’t a record present just yet. Three months ago while renewing, and every time previously, there haven’t been any issues. After searching around it seems like the CAA check is relatively new in letsencrypt, but I couldn’t find any mention if it’s a requirement yet, as it didn’t seem to a requirement just a few months ago.
I’m using Amazon Route 53 for DNS, and unfortunately it doesn’t support adding a CAA entry just yet, so would the only other option be to use a different DNS service, preferably one where I can edit the zone file manually, until Amazon enables this feature? I can access my CDN just fine without SSL.
Here’s the output while attempting to generate the certificate:
# certbot certonly --manual -d i.ncdn.moe Failed authorization procedure. i.ncdn.moe (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for i.ncdn.moe IMPORTANT NOTES: - The following errors were reported by the server: Domain: i.ncdn.moe Type: connection Detail: DNS problem: SERVFAIL looking up CAA for i.ncdn.moe