CAA errors - nameservers may be malfunctioning while creating a new cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: and

I ran this command:

It produced this output:

“type”: “urn:acme:error:caa”,
“detail”: “Error creating new cert :: While processing CAA for DNS problem: SERVFAIL looking up CAA for - the domain’s nameservers may be malfunctioning”,
“status”: 403

Another similar case:

“detail”: “Error creating new cert :: While processing CAA for CAA record for prevents issuance”,

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Your authoritative nameservers produce SERVFAIL when queried for the CAA records of your domain.

There are some other threads that had the exact same issue with the canaldominios nameservers:

Here is a reproduction that you can share with your DNS host’s support:

$ dig +dnssec caa

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> +dnssec caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1386
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;         IN      CAA

;; ANSWER SECTION:  3600    IN      CNAME

;; AUTHORITY SECTION:          3600    IN      SOA 1 7200 1800 151200 3600

;; Query time: 413 msec
;; WHEN: Fri Mar 06 12:51:52 AEDT 2020
;; MSG SIZE  rcvd: 146

Note the status is SERVFAIL for a direct query to

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.