Generate wildcard certificate failed

I tried my domain in letsdebug many times, and got different errors , I can’t figure out what’s wrong. Any help please

My domain is:

I ran this command: certbot run -a manual -i nginx -d * --preferred-challenges dns

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer nginx
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Resetting dropped connection:
Challenge failed for domain
dns-01 challenge for
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Type: dns
    Detail: During secondary validation: DNS problem: SERVFAIL looking
    up CAA for - the domain’s nameservers may be

My web server is (include version): nginx version: nginx/1.16.1

The operating system my web server runs on is (include version): CentOS Linux release 7.8.2003 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes):

I’m using a control panel to manage my site (no):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

1 Like

Hi @xp_xm

checking your domain via - you see:

Your name servers are terrible buggy.

A lot of error messages:

X Fatal error: Nameserver doesn’t support echo capitalization. That’s critical if you want to create Letsencrypt certificates. Read (2008). If a dns client asks “ExAmPlE.cOm”, the name server must answer with the same name, not with “”. Creating Letsencrypt certificates isn’t possible. Your name server provider must update the software.: /

These huaweicloud servers are known as buggy.

Your error message says: The primary servers of Letsencrypt are able to check your dns. But the secondary are not, so the validation fails.

–> switch to another dns provider or ask there.

PS: You are not the first user with these problems. See


Is there any solution for now ?


You can try to create a CAA entry.

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout 2 2 2 2
com 0 no CAA entry found 1 0

Letsencrypt must check if there exists a blocking CAA entry. So a timeout -> may be the connection is hacked -> Letsencrypt isn’t allowed to create a certificate.

But if Letsencrypt finds a RR, it may work.


I tried to add CAA entry in huaweicloud dns control panel, but it still couldn’t pass the challenge. So I switch domain DNS server to alidns,Then everything is working fine! I have reported those bugs to huawei , hope them can fix it up.


Yep, I saw the CAA entry. But the echo capitalization problem blocks that.

Most dns providers have working systems. So changing the dns provider allows creating LE-certificates.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.