DNS problem: SERVFAIL looking for CAA despite it being set

My domain is: amamiya.yuuko.eu

I ran this command: certbot certonly --dry-run --webroot --agree-tos --webroot-path /var/www/yuuko.tv/ -d yuuko.eu --webroot-path /var/www/kanoe.yuuko.tv/ -d kanoe.yuuko.eu --webroot-path /var/www/amamiya.yuuko.eu/ -d amamiya.yuuko.eu --key-type ecdsa --elliptic-curve secp384r1 --register-unsafely-without-email

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: amamiya.yuuko.eu
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up CAA for amamiya.yuuko.eu - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version):
nginx version: nginx/1.20.2

The operating system my web server runs on is (include version):
Fedora 35

My hosting provider, if applicable, is:
Selfhosted at hetzner

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

The other two domains, yuuko.eu and kanoe.yuuko.eu, resolve their CAA queries fine (or at least they do not result in errors). The CAA queries also appear to resolve just fine DNS Spy report for yuuko.eu and https://unboundtest.com/m/CAA/yuuko.eu/ZFLZK7ZI and also with dig:

amamiya.yuuko.eu.	6831	IN	CAA	0 issue "letsencrypt.org"

letsdebug: Let's Debug

So for a layman everything looks alright on the DNS provider's side. Why is certbot throwing an error for SERVFAIL? Do I need to contact my DNS provider (njalla) or is there something wrong with certbot?

What happens when you try again? Is this a permanent or an intermittent issue?


I had tried it 5 times over the course of three hours. I just tried it again and it seemed to have worked without any errors. Looks like a temporary problem then. Sorry for wasting everybody's time.


No worries. It may have been an issue with upstream nameservers, or an intermittent DNSSEC signing issue. Feel free to post here again if the issue re-appears - there have been cases of misterious intermittent SERVFAIL errors in the past.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.