Certbot giving error dns-problem servfail looking up caa-for

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
deutschefin.tech

I ran this command: in past this command work well for other env e.g. dev,uat etc . i also added TXT record for all of these domains.

sudo certbot -d api.stg.deutschefin.tech --manual --preferred-challenges dns certonly

It produced this output:
Failed authorization procedure. api.stg.deutschefin.tech (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for api.stg.deutschefin.tech

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: api.stg.deutschefin.tech
  Type: None
  Detail: DNS problem: SERVFAIL looking up CAA for
  api.stg.deutschefin.tech

My web server is (include version):
Ubuntu 18.04.1 LTS

The operating system my web server runs on is (include version):
Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Azure

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

Same as CAA behaviour changed? maybe?

Common factors: Azure, FORMERR.

Thanks for your quick response.
do we have any workaround for this problem.?
or do we need to wait till one week as mentioned in above post

I might be wrong as I’m not completely across the issue in that thread, but if you create the CAA record in Azure DNS:

api.stg.deutschefin.tech.    IN    CAA issue "letsencrypt.org"

Then the nameserver should return NOERROR rather than FORMERR, and issuance should succeed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.