Challenge failed for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for - the
    domain's nameservers may be malfunctioning

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0


Welcome to the Let's Encrypt Community, Michael :slightly_smiling_face:

You might want a working A or AAAA record in your DNS for

I have tested several different ways and found problems accessing your DNS, so your provider may have issues.


Source of this error:

Your domain is being hosted on Digital Ocean DNS servers:		86400	IN	NS		86400	IN	NS		86400	IN	NS
;; Received 610 bytes from 2a01:8840:a1::17#53( in 18 ms

However, the DO nameservers are refusing to answer for your "bare" domain name:

osiris@erazer ~ $ dig CAA

; <<>> DiG 9.16.6 <<>> CAA
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27911
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1232
;			IN	CAA

;; Query time: 292 msec
;; SERVER: 2400:cb00:2049:1::adf5:3a33#53(2400:cb00:2049:1::adf5:3a33)
;; WHEN: Thu Oct 22 21:00:35 CEST 2020
;; MSG SIZE  rcvd: 41

osiris@erazer ~ $ 

They do however answer for the www subdomain, but the CAA record is looked up for all the "upper" labels of the hostname until it encounters a CAA record. So even if you ask a certificate just for, if that hostname doesn't have a CAA record, it'll ask the CAA record of And that one gives an error, which isn't acceptable.


Thanks for your reply! This makes sense as to why I need www.*** to access my site during testing. How would I go about fixing this? Would I have to get in contact with DO?

I have an A record set up at the root of the domain pointing to my web server but how would I go about resolving for the whole domain and not the www subdomain?


Thanks for confirming this!! Turns out the issue is that the DNS resolves the www.** subdomain but not the root of the domain itself but I'm not sure how to go about having the DNS resolve the root domain.


Add an A record to your DNS that points (or @) to


Just did that and it worked! Thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.