I ran this command: kubectl cert-manager renew admin-prod-ga-gateway
It produced this output: Warning Failed 8s (x7 over 57m) cert-manager The certificate request has failed to complete and will be retried: Failed to wait for order resource "admin-prod-ga-gateway-mbfnd-3584482769" to become ready: order is in "errored" state: Failed to finalize Order: 403 urn:ietf:params:acme:error:caa: Error finalizing order :: While processing CAA for admin.prod.ga.manabie.io: DNS problem: SERVFAIL looking up CAA for prod.ga.manabie.io - the domain's nameservers may be malfunctioning
My web server is (include version):
We're using Google Cloud DNS with DNSSec disabled.
We can just create the new cert with http-01 successfully with exactly the same infomation
I am not familiar with your kubectl cert-manager. I am also not a DNS expert. But, this website often shows problems that helps others fix DNS problems. See the error using UDP to contact the DNS server. Perhaps this was part of your original problem? https://dnsviz.net/d/admin.prod.ga.manabie.io/dnssec/