Challenge failed for domain SERVFAIL

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot --nginx

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for

    • the domain’s nameservers may be malfunctioning
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.40.0

1 Like

You have DNSSEC issues:

1 Like

Thanks for the quick reply. I’m not really sure what DNSSEC means as I’m pretty new to this? Can you please tell me what the issue is or how I can resolve it?

1 Like

Okay, so I’m not sure how to delete this post, nor how to close it. But I’ve rectified the issue. The problem was that I forgot to create a CAA record from my digitalocean account

1 Like

It’s good that you got it to work, but this is not the true nature of the issue.

You don’t need to create a CAA record, it’s just that doing so has effectively masked a different problem.

The problem here is that you added to your DigitalOcean account as the DNS zone, but you needed to instead add, and then create the www subdomain within that DNS zone.

This is probably going to bite you in ass in the future if you don’t fix it now. For example, if you ever want to setup email services.

But it’s up to you.


Oh, I see. Thanks a lot. Will change that right now

1 Like

So I deleted that domain, and created a new domain, and added the www as a subdomain. My question now is if I still need to create a CAA record. Like is it necessary?

1 Like

You don’t, no. It’s optional.

The reason it caused an error the first time is due to the way you created the zone.

1 Like

Okay. Thanks for the help

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.