CAA record preventing issuance since Friday 26th but nothing has obviously changed

My domain is: and

I ran this command:

certbot certonly --dry-run -d --webroot --webroot-path /var/www/

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Further notes:

We have been using letsencrypt without any CAA issues for several years.

The CAA for this domain is correct:

The earliest renewal failure was logged at 0733Z on Friday 26th, but the same issue is now affecting all pending renewals and fresh issuances across our domains and I have not been able to reproduce on any other domains, e.g. my personal domain which also uses letsencrypt with a similar CAA record.

Let's Encrypt made a recent change that I think they are reversing. But, the reason for the failure is you are using the flag value of 128 which means critical. You have this set for iodef but Let's Encrypt does not support iodef.

For now, setting the flag to 0 for iodef should allow cert issuance.

EDIT: Below is post with more detail


Yes, we'll be rolling back the breakage this week.

As said above, unsetting the critical flag is one option.

But if you've restricted issue to let's encrypt, there's also not much point in it, as we don't send iodef mails. You could just remove the entire entry.


Well, iodef is kind of weird, in that it's actually intended to be read by all the CAs that you don't list. That is, with Let's Encrypt being the only entry, it doesn't matter whether or not Let's Encrypt reads it, the intention is to help catch/diagnose someone trying to issue via a different CA.


Agree. But, if LE supported iodef it could report violations of accounturi, issuewild, and similar.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.