Cert renew failed - CAA failure


trying to renew my certificate, I get this:

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/crm.bellesuisse.ch/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

    Domain: crm.bellesuisse.ch
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for crm.bellesuisse.ch

    • the domain's nameservers may be malfunctioning

I googled a bit, many say to wait because it could be a temporary dns fail, but it doesn't seem so... any hint?

Thanks a lot

1 Like

The hint is "CAA".
Is that properly configured/operating?


In this case, it looks like a permanent error.

From what I can tell, it looks like your registrar's nameservers (ns1.register.it, ns2.register.it) are sending an invalid DNSSEC signature when querying for your domain's CAA record.

That's a lot of jargon but I think one of the following might work:

  • Creating a CAA record for your domain could work around the issue by avoiding having an NSEC response
  • Disabling DNSSEC for your domain at your registrar, which will avoid signature validation
  • Contacting whoever runs register.it and asking them to rehash (create DNSSEC signatures) for your zone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.