DNS problem: SERVFAIL looking up CAA

My domain is: novamold.com

I ran this command: sudo certbot --apache, then certbot --expand -d novamold.com,www.novamold.com

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.novamold.com
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for www.novamold.com - the domain's nameservers may be malfunctioning

My web server is (include version):
Server version: Apache/2.4.48 (Ubuntu)
Server built: 2022-01-05T14:29:15

The operating system my web server runs on is (include version): Ubuntu 21.10

My hosting provider, if applicable, is: N/A, networksolutions.com is the registrar

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.23.0

I know I'm getting this error because the CAA record I added is for the root domain and not the www. But it does not seem possible to add a CAA record for the www domain on Network Solutions website (unless I'm missing something, which is quite possible). When I generate the cert for the root domain certbot completes successfully but browsing the website using HTTPS results in SSL_ERROR_BAD_CERT_DOMAIN error.

I've sent a ticket to Network Solutions but it's going on day 3 and I haven't received a response yet. Am I being to overly optimistic in thinking they can do something from their end? Presumably going with the wildcard cert would solve this issue and I've looked at the instructions but due to the complexity I'd like to keep that as a last resort. Moving to a different registrar is also on the table but I have yet to research the options. Any suggestions would be appreciated.

The SERVFAIL looking up CAA is mostly caused by DNSSEC error.
You may try

  1. Disable DNSSEC for your domain name
  2. Correct warnings or errors in dnsviz
  3. Update the novamold.com. 3600 IN CAA 0 issuewild "novamold.com" CAA record below
➜  ~ dig novamold.com caa

; <<>> DiG 9.10.6 <<>> novamold.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40798
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;novamold.com.			IN	CAA

novamold.com.		3600	IN	CAA	0 issuewild "novamold.com"
novamold.com.		43200	IN	CAA	0 issue "letsencrypt.org"
1 Like

Change your dns hosting. Your dns cannot SERVFAIL when asked a CAA record that isn't there.

Yes, and it's half wrong, remove the issuewild one.

1 Like

I wasn't sure if I needed a CAA record for our internal CA which generates the cert for our Exchange server. I added it just to be safe but I've deleted now.

I re-ran the "certbot --expand -d novamold.com,www.novamold.com" command after deleting the CAA issuewild record for novamold.com root domain just to see what would happen but still same error. I only waited a few minutes so I'll try again later but I can't figure how that record itself would be an issue.

I've looked at the output from DNSVIS and all that comes up are some warnings:

Warnings: DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1). DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. In the spirit of RFC 4509, DS records with digest type 1 (SHA-1) might be ignored when DS records with digest type 4 (SHA-384) exist in the same RRset.

I'm not really sure what this error means or if it can be resolved without disabling DNSSEC completely. At this point, I'm trying to recall if it was enabled for a specific purpose but if not I will disable it and test again, assuming turning it off won't disrupt any of the other services.

If I turn off DNSSEC should I delete the CAA record as well?

No, that't not the issue. It's that issuewild overwrites issue. So you might want to use two issue CAA records.

But this isn't the problem you are encountering. The problem you are encountering is a shitty DNS server. Switch providers.

1 Like

Well I was hoping someone else who is using Network Solutions might jump in and say whether or not they were able to get it to work, and I'll probably wait another day or two to see if they respond to my ticket. But the domain is up for renewal this year so likely I'll just move it, would be nice if I can get a Canadian registrar this time. Though at this point I'll take any that isn't too overpriced and is on the Certbot compatible list.

They weren't. It's not a new issue.


You don't need to use your registrar as an authoritative DNS, you can separate the two functions.

As for price, cloudflare is free. (Has a free plan)

1 Like

Someone from Network Solutions responded finally to my ticket to confirm details of the CAA record. I went to check it and it appeared on their site same as it did before but dig command came back with NOERROR instead of SERVFAIL this time. I tried the certificate generation again using "certbot --expand -d novamold.com,www.novamold.com" to add the www domain and this time it worked. The person who responded to my ticket did not say they changed anything so I do not know why it suddenly worked. The only thing I did on my end was create a cloudflare account to use their name servers but I never got around to completing the setup. Dig still only shows the Worldnic.com servers.

My website is now loading https://www.novamold.com as it should.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.