Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): www.mdigregor.io
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.mdigregor.io
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain www.mdigregor.io
http-01 challenge for www.mdigregor.io
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: www.mdigregor.io
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for mdigregor.io - the
domain's nameservers may be malfunctioning
My web server is (include version): Apache/2.4.41
The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0
Your domain is being hosted on Digital Ocean DNS servers:
mdigregor.io. 86400 IN NS ns1.digitalocean.com.
mdigregor.io. 86400 IN NS ns2.digitalocean.com.
mdigregor.io. 86400 IN NS ns3.digitalocean.com.
;; Received 610 bytes from 2a01:8840:a1::17#53(a2.nic.io) in 18 ms
However, the DO nameservers are refusing to answer for your "bare" domain name:
They do however answer for the www subdomain, but the CAA record is looked up for all the "upper" labels of the hostname until it encounters a CAA record. So even if you ask a certificate just for www.mdigregor.io, if that hostname doesn't have a CAA record, it'll ask the CAA record of mdigregor.io. And that one gives an error, which isn't acceptable.
Thanks for your reply! This makes sense as to why I need www.*** to access my site during testing. How would I go about fixing this? Would I have to get in contact with DO?
I have an A record set up at the root of the domain www.mdigregor.io pointing to my web server but how would I go about resolving for the whole domain and not the www subdomain?
Thanks for confirming this!! Turns out the issue is that the DNS resolves the www.** subdomain but not the root of the domain itself but I'm not sure how to go about having the DNS resolve the root domain.
