DNS problem: SERVFAIL looking up CAA - but I have setup the CAA

My domain is:
admin.prod.ga.manabie.io

I ran this command:
kubectl cert-manager renew admin-prod-ga-gateway

It produced this output:
Warning Failed 8s (x7 over 57m) cert-manager The certificate request has failed to complete and will be retried: Failed to wait for order resource "admin-prod-ga-gateway-mbfnd-3584482769" to become ready: order is in "errored" state: Failed to finalize Order: 403 urn:ietf:params:acme:error:caa: Error finalizing order :: While processing CAA for admin.prod.ga.manabie.io: DNS problem: SERVFAIL looking up CAA for prod.ga.manabie.io - the domain's nameservers may be malfunctioning
My web server is (include version):

cert-manager v1.4.0

We're using Google Cloud DNS with DNSSec disabled.

We can just create the new cert with http-01 successfully with exactly the same infomation

1 Like

It looks like you got a new certificate yesterday. Do you still need help?

I am not familiar with your kubectl cert-manager. I am also not a DNS expert. But, this website often shows problems that helps others fix DNS problems. See the error using UDP to contact the DNS server. Perhaps this was part of your original problem?
https://dnsviz.net/d/admin.prod.ga.manabie.io/dnssec/

3 Likes

Actually I can just create the new cert normally.
The issue maybe come from cert-manager.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.