DNS problem: SERVFAIL looking up CAA for domain


I’m trying to use the EFF certbot to generate and configure the certificate on my webserver.

I’m using the simple command: certbot --apache.

The authorization procedure is failing with the error:

Failed authorization procedure. security.claudio.pt (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for security.claudio.pt

Using dig security.claudio.pt @ -t type257 I can confirm that the status is indeed SERVFAIL.

I actually never heard of this record. The only way to solve this is to ask the register to add this record to the my dns zone ? Is there a option to bypass this error?

If it is, is the following record correct?

claudio.pt. CAA 0 issue “letsencrypt.org

Thank you.

Hi @clviper, this API announcement explains why this problem is occurring for you.

Not quite - you don't actually need to add a CAA record or have support for adding them. The problem is that when we ask your authoritative DNS server "Hey do you have a CAA record for this domain?" instead of saying "Nope, no record!" it says "SERVFAIL".

You need to contact your DNS provider to have them fix this error. Soon all CA's (not just Let's Encrypt) will be required to ask your DNS server about CAA before issuing and this will cause problems until fixed by your provider.

There isn't presently a way to bypass this error except having your DNS provider fix this problem or switching to a DNS provider that doesn't return SERVFAIL instead of a non-error reply.

Hope this helps!

Thank you for the help. Will try to sort this out with my provider.

1 Like

Best of luck! If possible, would you mind sharing the name of your DNS provider? It helps us coordinate with other folks that have the same problem using the same provider.

Thanks. My provider is dominios.pt, that it’s part of Claranet provider.

1 Like

Hello Claudio,

I have the exact same problem with dominios.pt. I can get a certificate for domain.pt but not for www.domain.pt. Have you found a solution to this problem? Have you contacted them?

I will also try to contact them to see what they say.

Hi Ivo,

They indicated me that they had the right behavior that was when no record exist, they return no record, but that was not the case. Always received SERV FAIL. I ended up asking dominios.pt to add the CAA record like:

subdomain.domain.pt. CAA 0 issue “letsencrypt.org

After that, I was able to use certbot without any problems.

1 Like

Good to know :slight_smile:

I have sent them a ticket and they fixed the problem but didn’t tell me exactly what they did. I assume they put a CCA as you have indicated. It’s a pain that I think I will need to ask this for every domain I want to put letsencrypt :frowning:

How can we know beforehand if we are going to have our domains in a company that will have good support to letsencrypt and that will let us manage our DNS for free?

I find this to be a real pain in the ass :confused:

@civiper, @ivo, do you use DNSSEC for your domains?

@jsha I don’t even know what that is :smile: I know it can be a problem when there is this kind of error but I was testing in a website to check if I had DNS problems and it said I was not using DNSSEC. Whatever it is… should I be using it?

I ask because sometimes DNSSEC can be a cause of SERVFAIL errors. If you aren’t using it and aren’t familiar with it, don’t worry about it.

1 Like

A post was merged into an existing topic: CAA exception notifications don’t mention the failing domain

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.