DNS problem: SERVFAIL looking up CAA

DNS problem: SERVFAIL looking up CAA for helpdesk.example.com

Error Output:-

Your system is not supported by certbot-auto anymore.
Certbot will no longer receive updates.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for helpdesk.example.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain helpdesk.example.com
http-01 challenge for helpdesk.example.com
Cleaning up challenges
Some challenges have failed.

  • The following errors were reported by the server:

Domain: helpdesk.example.com
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for
helpdesk.example.com - the domain's nameservers may be

[root@letsencrypts-custom ~]# dig helpdesk.example.com caa

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.60.amzn1 <<>> helpdesk.example.com caa

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54809

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


;helpdesk.example.com. IN CAA

;; Query time: 761 msec


;; WHEN: Tue Feb 9 09:43:00 2021

;; MSG SIZE rcvd: 38

But I’ve no idea why the certificate could not be generated.

Thanks for help

Hi @saravanan

please read your own result:

A CAA query of your domain produces a SERVFAIL.

So your name server software is too old and sends the wrong result. So it's impossible to check if there is a CAA entry -> it's not possible to create a certificate.

--> Update your DNS server software or switch to another dns provider.

PS: Checked manual, only your netriplex name servers are buggy. But these are the delegated name servers, so it's fatal.


1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.