My domain is: amamiya.yuuko.eu
I ran this command: certbot certonly --dry-run --webroot --agree-tos --webroot-path /var/www/yuuko.tv/ -d yuuko.eu --webroot-path /var/www/kanoe.yuuko.tv/ -d kanoe.yuuko.eu --webroot-path /var/www/amamiya.yuuko.eu/ -d amamiya.yuuko.eu --key-type ecdsa --elliptic-curve secp384r1 --register-unsafely-without-email
It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: amamiya.yuuko.eu
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for amamiya.yuuko.eu - the domain's nameservers may be malfunctioning
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
My web server is (include version):
nginx version: nginx/1.20.2
The operating system my web server runs on is (include version):
Fedora 35
My hosting provider, if applicable, is:
Selfhosted at hetzner
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0
The other two domains, yuuko.eu and kanoe.yuuko.eu, resolve their CAA queries fine (or at least they do not result in errors). The CAA queries also appear to resolve just fine DNS Spy report for yuuko.eu and https://unboundtest.com/m/CAA/yuuko.eu/ZFLZK7ZI and also with dig:
;; ANSWER SECTION:
amamiya.yuuko.eu. 6831 IN CAA 0 issue "letsencrypt.org"
letsdebug: Let's Debug
So for a layman everything looks alright on the DNS provider's side. Why is certbot throwing an error for SERVFAIL? Do I need to contact my DNS provider (njalla) or is there something wrong with certbot?