Failing to renew certificate after adding CAA to DNS (SERVFAIL)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
cert-manager v1.7.1 should be renewing certificates automatically, but viewing the invalid challenge with: kubectl describe challenge <challenge-name>

It produced this output:

  Type     Reason     Age   From          Message
  ----     ------     ----  ----          -------
  Normal   Started    30m   cert-manager  Challenge scheduled for processing
  Normal   Presented  30m   cert-manager  Presented challenge using HTTP-01 challenge mechanism
  Warning  Failed     30m   cert-manager  Accepting challenge authorization failed: acme: authorization error for www.cronersurveys.com: 400 urn:ietf:params:acme:error:dns: DNS problem: SERVFAIL looking up CAA for www.cronersurveys.com - the domain's nameservers may be malfunctioning

My web server is (include version):
ingress-nginx v1.1.1

The operating system my web server runs on is (include version):
5.4.0-1070-azure #73~18.04.1-Ubuntu

My hosting provider, if applicable, is:
Azure
Azure Kubernetes Service
DNS - Network Solutions

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
N/A

We recently had an audit that suggested we add CAA records to the DNS as best practice. We did so about a month ago and the certificates are unable to renew and expire tomorrow .

I do not have access to the DNS (Network Solutions), but the person who does removed the CAA records hoping the certificates would renew so we could at least address that expiration issue and then look at the CAA records after that. That does not seem to have worked and the certificates still get SERVFAIL 24-hours after the CAA record was removed. It looks to me like the CAA still records still show up, but without having access to the DNS I am unable to modify anything.

Any suggestions for how to resolve this?

• Let's Debug
• SSL Server Test: www.cronersurveys.com (Powered by Qualys SSL Labs)

You need a DNS server that can resolve CAA without error in order to get a certificate from any publicly trusted CA. The only advice we can give you is to get the DNS provider to fix their broken server, or switch to a DNS provider that isn't broken.

From DNSViz:

• NSEC proving non-existence of www.cronersurveys.com/CAA: No NSEC RR matches the SNAME (www.cronersurveys.com).
• NSEC proving non-existence of www.cronersurveys.com/CAA: No NSEC RR matches the SNAME (www.cronersurveys.com).
• NSEC proving non-existence of www.cronersurveys.com/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.cronersurveys.com/A
• NSEC proving non-existence of www.cronersurveys.com/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.cronersurveys.com/A
• cronersurveys.com zone: The server(s) responded over TCP with a malformed response or with an invalid RCODE. (162.159.27.77)

You may also want to look at the "CAA errors" section of the Let's Encrypt documentation:

But the short of it is that the only person who can fix the broken DNS records is whomever administrates the DNS server.

But the short of it is that the only person who can fix the broken DNS records is whomever administrates the DNS server.

Agreed. Primarily gathering information for them so they can fix it.

That's good...
But since:

Yikes!!!
I would have them remove it, so you can renew your certs and then put it back in.
And they will have 90 more days to fiddle with it.
[You can use the staging environment to test if/when they do get it right]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.