Certbot giving error dns-problem servfail looking up caa-for


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
deutschefin.tech

I ran this command: in past this command work well for other env e.g. dev,uat etc . i also added TXT record for all of these domains.

sudo certbot -d api.stg.deutschefin.tech --manual --preferred-challenges dns certonly

It produced this output:
Failed authorization procedure. api.stg.deutschefin.tech (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for api.stg.deutschefin.tech

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: api.stg.deutschefin.tech
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for
    api.stg.deutschefin.tech

My web server is (include version):
Ubuntu 18.04.1 LTS

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Azure

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

Same as CAA behaviour changed? maybe?

Common factors: Azure, FORMERR.


#3

Thanks for your quick response.
do we have any workaround for this problem.?
or do we need to wait till one week as mentioned in above post


#4

I might be wrong as I’m not completely across the issue in that thread, but if you create the CAA record in Azure DNS:

api.stg.deutschefin.tech.    IN    CAA issue "letsencrypt.org"

Then the nameserver should return NOERROR rather than FORMERR, and issuance should succeed.