I ran this command: sudo certbot --apache certonly
It produced this output:
Failed authorization procedure. dataone.sensor.nevada.edu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: CAA record for dataone.sensor.nevada.edu prevents issuance
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): apache 2.4.7
The operating system my web server runs on is (include version): Ubuntu 14.04
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Is this a problem with the DNS server (which I don’t control)? Or am I messing something up? It was working fine for more than a year, up until a couple months ago and now I can’t seem to get any new certificates.
It turns out that nevada.edu has a CAA record only allowing issuance by DigiCert. If you have control over the DNS zone for dataone.sensor.nevada.edu, you can add your own CAA record allowing Let’s Encrypt to issue certificates for this domain. This record will take precedence over the nevada.edu record shown below as CAA records are evaluated on FQDNs from left to right, stopping at first result.
so Let's Encrypt can't issue a certificate for your domain. If you control the DNS you should be able to create a CAA record for dataone.sensor.nevada.edu where Let's Encrypt is authorized to issue a cert for this domain.
The issue is that acquiring the certificates from Let’s Encrypt for this domain used to work for more than a year. Is this extra CAA check a recent development by Let’s Encrypt?