CAA record prevents issuing the certificate: SERVFAIL

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://agrawalsamajnavimumbai.org/

I ran this command: I tried to issue the SSL Directly from the DirectAdmin ControlPanel

It produced this output:

Could not execute your request
CAA record prevents issuing the certificate: SERVFAIL

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

As I cannot currently access any of the DNS records for agrawalsamajnavimumbai.org with dig, it appears that one or more of the DNS servers for agrawalsamajnavimumbai.org has major problems.

Let's Debug on the other hand did manage to at least reach a functioning DNS server and...

For an http-01 challenge:

For a dns-01 challenge:

1 Like
dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3600 IN	NS	ns2.influka.com.
agrawalsamajnavimumbai.org. 3600 IN	NS	ns1.influka.com.


1 Like

@Rip

If you would, try a couple of times. I've had about a 75% failure rate with dig.

PS - I'm currently out of likes, so here:

:two_hearts:

:blush:

2 Likes
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3414 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3414 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3413 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3413 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3413 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3413 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3412 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3412 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3412 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3412 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3411 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3411 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3411 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3411 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3411 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3411 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.

From my location on the left coast it works just fine.

2 Likes

Interesting... :thinking:

I'm wondering from where Google and Let's Encrypt are checking...

Let's Debug got through on the first shot as well...

2 Likes

Hey Thnks for your Response. Could one of the reason be that I just moved their hosting, and not all the DNS redirect to influka. Some are still redirected to my old hosting. Probably would take some time for that to be updated as well?

1 Like

There is no CAA policy on this hostname

Feature not implemented or disabled

Your server doesn't support this feature.

1 Like

That's what I gathered too. I think it's the confusing SERVFAIL message given when lookup of the CAA record fails that's being reported that leads to the belief of CAA restriction.

1 Like

Was this the entire error message or is there more?

1 Like

That's a good question. I know that Let's Encrypt will not proceed under any circumstances if there is a SERVFAIL when looking up the CAA record. It's kind of a de facto CAA policy failure.

And I don't think dig supports caa lookup directly.

Current versions of dig definitely do support caa queries (run dig example.com caa). I'm not sure what version it was added though.

2 Likes

well I'm definitely upgrading. Thanks.

Looks like CAA record support was added to BIND in version 9.9.6. So I'd guess dig versions at least 9.9.6 also support querying them.

1 Like

How do I look for more error? Its only giving me that much. I copy pasted the entire thing.

I think you can use cURL/dig to test against each nameserver.

Hi @audreyeven1400

You have indicated that you are using DirectAdmin to manage your website. I am not an expert with DirectAdmin, but there are some knowledgeable people here might be able to help you.

If I'm not mistaken, there is a DNS Administration section in DirectAdmin where you might be able to enter a correct CAA record that would allow the process to continue without error, but I am absolutely not certain how to do it with your set up. (Some hosting providers don't allow CAA txt records for some reason)

You might also find a section in your DirectAdmin that will show you additional error information, but again I don't know for sure.

Also is influka.com CURRENTLY hosting your website?

I may be posing more questions than answers but my intent is to give you food for thought and some possible places to search.

Might want to look in to this also... would help a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.