Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
cert-manager v1.7.1 should be renewing certificates automatically, but viewing the invalid challenge with:
kubectl describe challenge <challenge-name>
It produced this output:
Type Reason Age From Message ---- ------ ---- ---- ------- Normal Started 30m cert-manager Challenge scheduled for processing Normal Presented 30m cert-manager Presented challenge using HTTP-01 challenge mechanism Warning Failed 30m cert-manager Accepting challenge authorization failed: acme: authorization error for www.cronersurveys.com: 400 urn:ietf:params:acme:error:dns: DNS problem: SERVFAIL looking up CAA for www.cronersurveys.com - the domain's nameservers may be malfunctioning
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
Azure Kubernetes Service
DNS - Network Solutions
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
We recently had an audit that suggested we add CAA records to the DNS as best practice. We did so about a month ago and the certificates are unable to renew and expire tomorrow .
I do not have access to the DNS (Network Solutions), but the person who does removed the CAA records hoping the certificates would renew so we could at least address that expiration issue and then look at the CAA records after that. That does not seem to have worked and the certificates still get
SERVFAIL 24-hours after the CAA record was removed. It looks to me like the CAA still records still show up, but without having access to the DNS I am unable to modify anything.
Any suggestions for how to resolve this?