I’m getting this error with a subdomain that is using a CNAME record to point it to an Amazon EC2 instance. The domain name resolves fine on my local machine:
$ nslookup demo.amcv.wsaa.asn.au 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
demo.amcv.wsaa.asn.au canonical name = ec2-52-62-56-82.ap-southeast-2.compute.amazonaws.com.
Name: ec2-52-62-56-82.ap-southeast-2.compute.amazonaws.com
Address: 52.62.56.82
But Let’s Encrypt responds with:
$ ./letsencrypt-auto certonly --standalone -d demo.amcv.wsaa.asn.au
[...]
- The following errors were reported by the server:
Domain: demo.amcv.wsaa.asn.au
Type: connection
Detail: DNS problem: query timed out looking up CAA for
amcv.wsaa.asn.au
Do I need zone file records in addition to CNAME? I have another subdomain on a different domain (different zone file and name servers) that works fine, and it has no CAA record.