Cert renew failed - CAA failure

hello,

trying to renew my certificate, I get this:

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/crm.bellesuisse.ch/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: crm.bellesuisse.ch
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for crm.bellesuisse.ch

    • the domain's nameservers may be malfunctioning

I googled a bit, many say to wait because it could be a temporary dns fail, but it doesn't seem so... any hint?

Thanks a lot

1 Like

The hint is "CAA".
Is that properly configured/operating?

2 Likes

In this case, it looks like a permanent error.

From what I can tell, it looks like your registrar's nameservers (ns1.register.it, ns2.register.it) are sending an invalid DNSSEC signature when querying for your domain's CAA record.

That's a lot of jargon but I think one of the following might work:

  • Creating a CAA record for your domain could work around the issue by avoiding having an NSEC response
  • Disabling DNSSEC for your domain at your registrar, which will avoid signature validation
  • Contacting whoever runs register.it and asking them to rehash (create DNSSEC signatures) for your zone.
4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.