Failed authorization procedure: urn:acme:error:connection

My domain is:

I ran this command: sudo certbot --apache certonly

It produced this output:
Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: CAA record for prevents issuance


  • The following errors were reported by the server:

    Type: connection
    Detail: CAA record for prevents issuance

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): apache 2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Is this a problem with the DNS server (which I don’t control)? Or am I messing something up? It was working fine for more than a year, up until a couple months ago and now I can’t seem to get any new certificates.

It turns out that has a CAA record only allowing issuance by DigiCert. If you have control over the DNS zone for, you can add your own CAA record allowing Let’s Encrypt to issue certificates for this domain. This record will take precedence over the record shown below as CAA records are evaluated on FQDNs from left to right, stopping at first result.

# dig CAA

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24039
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;                    IN      CAA

;; ANSWER SECTION:             3660    IN      CAA     0 iodef ""             3660    IN      CAA     0 issue ""

;; Query time: 101 msec
;; WHEN: Mon Aug 14 17:00:59 2017
;; MSG SIZE  rcvd: 106

Hello @unr-sensor,

The "problem" is here: has a CAA record and only allows certificates issued by digicert:

$ dig caa +short
0 issue ""
0 iodef ""

so Let's Encrypt can't issue a certificate for your domain. If you control the DNS you should be able to create a CAA record for where Let's Encrypt is authorized to issue a cert for this domain.


1 Like

Thank you for the replies.

The issue is that acquiring the certificates from Let’s Encrypt for this domain used to work for more than a year. Is this extra CAA check a recent development by Let’s Encrypt?

No, it's not recent. I'd guess that added (or changed) the DNS records recently.

1 Like

Ah ha. Thank you for that.

I’m currently communicating with the DNS admins to add a CAA record for my subdomain. Hopefully I’ll hear back soon.

Thank you all for the replies!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.