Thank you, motoko.
I know it was generated yesterday (1/15/16). I tried many times, just did not know which time it went through.
I had 80 and 443 open (with a self signed certificate at 443). So I assume both tls-sni-01 and http-01 should be working. This is very helpful information, though.
I think the problem is on the DN look-up step. There is no CAA record. Somehow it took very long time for domain name server to respond. Here are some results Osiris sent to me. He mentioned that getting ip is fast, but ‘one but last step is often quite slow’. Slowness could be the reason for failing at CAA checking step.
Domain Name servers: dns9.hichina.com. dns10.hichina.com.
;; Received 676 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 6799 ms
;; Received 676 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 701 ms
;; Received 676 bytes from 220.127.116.11#53(f.gtld-servers.net) in 2312 ms
;; Received 676 bytes from 18.104.22.168#53(d.gtld-servers.net) in 5115 ms