CAA record prevents issuing the certificate: SERVFAIL

audreyeven1400 · February 4, 2021, 2:23pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://agrawalsamajnavimumbai.org/

I ran this command: I tried to issue the SSL Directly from the DirectAdmin ControlPanel

It produced this output:

Could not execute your request
CAA record prevents issuing the certificate: SERVFAIL

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

griffin · February 4, 2021, 5:02pm

Welcome to the Let's Encrypt Community

As I cannot currently access any of the DNS records for agrawalsamajnavimumbai.org with dig, it appears that one or more of the DNS servers for agrawalsamajnavimumbai.org has major problems.

Let's Debug on the other hand did manage to at least reach a functioning DNS server and...

For an http-01 challenge:

For a dns-01 challenge:

Rip · February 4, 2021, 5:05pm

dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3600 IN	NS	ns2.influka.com.
agrawalsamajnavimumbai.org. 3600 IN	NS	ns1.influka.com.

griffin · February 4, 2021, 5:07pm

@Rip

If you would, try a couple of times. I've had about a 75% failure rate with dig.

PS - I'm currently out of likes, so here:

Rip · February 4, 2021, 5:10pm

rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3414 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3414 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3413 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3413 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3413 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3413 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3412 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3412 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3412 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3412 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3411 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3411 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3411 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3411 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3411 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3411 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3410 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3410 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.
rip:T430 ~ >> dig agrawalsamajnavimumbai.org NS +noall +answer
agrawalsamajnavimumbai.org. 3409 IN	NS	ns1.influka.com.
agrawalsamajnavimumbai.org. 3409 IN	NS	ns2.influka.com.

From my location on the left coast it works just fine.

griffin · February 4, 2021, 5:12pm

Interesting...

I'm wondering from where Google and Let's Encrypt are checking...

Let's Debug got through on the first shot as well...

audreyeven1400 · February 4, 2021, 5:13pm

Hey Thnks for your Response. Could one of the reason be that I just moved their hosting, and not all the DNS redirect to influka. Some are still redirected to my old hosting. Probably would take some time for that to be updated as well?

Rip · February 4, 2021, 5:16pm

There is no CAA policy on this hostname

Feature not implemented or disabled

Your server doesn't support this feature.

griffin · February 4, 2021, 5:18pm

That's what I gathered too. I think it's the confusing SERVFAIL message given when lookup of the CAA record fails that's being reported that leads to the belief of CAA restriction.

Rip · February 4, 2021, 5:19pm

Was this the entire error message or is there more?

griffin · February 4, 2021, 5:20pm

That's a good question. I know that Let's Encrypt will not proceed under any circumstances if there is a SERVFAIL when looking up the CAA record. It's kind of a de facto CAA policy failure.

Rip · February 4, 2021, 5:25pm

And I don't think dig supports caa lookup directly.

rmbolger · February 4, 2021, 5:49pm

Current versions of dig definitely do support caa queries (run dig example.com caa). I'm not sure what version it was added though.

Rip · February 4, 2021, 5:58pm

well I'm definitely upgrading. Thanks.

rmbolger · February 4, 2021, 6:26pm

Looks like CAA record support was added to BIND in version 9.9.6. So I'd guess dig versions at least 9.9.6 also support querying them.

audreyeven1400 · February 4, 2021, 9:01pm

How do I look for more error? Its only giving me that much. I copy pasted the entire thing.

griffin · February 4, 2021, 9:31pm

I think you can use cURL/dig to test against each nameserver.

Rip · February 4, 2021, 9:28pm

Hi @audreyeven1400

You have indicated that you are using DirectAdmin to manage your website. I am not an expert with DirectAdmin, but there are some knowledgeable people here might be able to help you.

If I'm not mistaken, there is a DNS Administration section in DirectAdmin where you might be able to enter a correct CAA record that would allow the process to continue without error, but I am absolutely not certain how to do it with your set up. (Some hosting providers don't allow CAA txt records for some reason)

You might also find a section in your DirectAdmin that will show you additional error information, but again I don't know for sure.

Also is influka.com CURRENTLY hosting your website?

I may be posing more questions than answers but my intent is to give you food for thought and some possible places to search.

Rip · February 4, 2021, 10:03pm

Might want to look in to this also... would help a lot!

system · March 6, 2021, 10:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.