CAA errors - nameservers may be malfunctioning while creating a new cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
hoteles.truecalia.com and www.viperenergy.com

I ran this command:
https://acme-v01.api.letsencrypt.org/acme/new-cert

It produced this output:

{
“type”: “urn:acme:error:caa”,
“detail”: “Error creating new cert :: While processing CAA for hoteles.truecalia.com: DNS problem: SERVFAIL looking up CAA for hoteles.truecalia.com - the domain’s nameservers may be malfunctioning”,
“status”: 403
}

Another similar case:

“detail”: “Error creating new cert :: While processing CAA for www.viperenergy.com: CAA record for www.viperenergy.com prevents issuance”,

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Your authoritative nameservers produce SERVFAIL when queried for the CAA records of your domain.

There are some other threads that had the exact same issue with the canaldominios nameservers: https://community.letsencrypt.org/search?q=canaldominios

Here is a reproduction that you can share with your DNS host’s support:

$ dig +dnssec @dns2.canaldominios.com hoteles.truecalia.com caa

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> +dnssec @dns2.canaldominios.com hoteles.truecalia.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1386
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;hoteles.truecalia.com.         IN      CAA

;; ANSWER SECTION:
hoteles.truecalia.com.  3600    IN      CNAME   000004-whitelabel.property.datahc.com.

;; AUTHORITY SECTION:
truecalia.com.          3600    IN      SOA     dns1.canaldominios.com. dns.canaldominios.com. 1 7200 1800 151200 3600

;; Query time: 413 msec
;; SERVER: 82.194.64.51#53(82.194.64.51)
;; WHEN: Fri Mar 06 12:51:52 AEDT 2020
;; MSG SIZE  rcvd: 146

Note the status is SERVFAIL for a direct query to dns2.canaldominios.com.

1 Like