I'm trying to renew the certificate for portal.tech.cpa which includes a bunch of aliases. One of them is clientportal.davistaxservices.net which can't pass CAA verification.
clientportal.davistaxservices.net is a white label of taxdome.com client. I have been seeing the problem since 21 JAN, it blocks the renewing of the certificate for a long time. I have no access to the client dns. DNS for taxdome.com didn't change as well.
For instance:
2022-01-26T08:37:52
Acme::Client::Error::Caa: Error finalizing order :: While processing CAA for clientportal.davistaxservices.net: DNS problem: SERVFAIL looking up CAA for clientportal.davistaxservices.net - the domain's nameservers may be malfunctioning
2022-01-26T07:05:15 Acme::Client::Error::Caa: Error finalizing order
While processing CAA for www.lemecgroupadvisors.com:
DNS problem: SERVFAIL looking up CAA for www.lemecgroupadvisors.com -
the domain's nameservers may be malfunctioning
2022-01-22T19:52:22 Acme::Client::Error::Caa: Error finalizing order
While processing CAA for www.prospecttaxes.com:
DNS problem: SERVFAIL looking up CAA for prospecttaxes.com -
the domain's nameservers may be malfunctioning
2022-01-21T01:20:20 Acme::Client::Error::Caa: Error finalizing order
While processing CAA for portal.georgecpafirm.com: DNS problem:
SERVFAIL looking up CAA for georgecpafirm.com -
the domain's nameservers may be malfunctioning
Hmm. I've been testing every way I could find, and I couldn't get a SERVFAIL no matter what I did. So it must have been fixed before I started poking around at it. Usually a SERVFAIL is due to the server not handling DNSSEC correctly, but it doesn't look like either domain is DNSSEC-signed, so I don't think that's it. Perhaps someone who handles your DNS fixed something? But everything looks fine now, so I'm not sure what else to suggest.