Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
(* is named servers, eg gallery, galleri, and the like, havn’t activated wildcards yet").
I ran this command:
certbot -c “certbot renew”
It produced this output:
Attempting to renew cert (ttsh.dk) from /etc/letsencrypt/renewal/ttsh.dk.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Error finalizing order :: Rechecking CAA: While processing CAA for roedding-karate.dk: DNS problem: SERVFAIL looking up CAA for roedding-karate.dk, While processing CAA for politi.thetroubleshooters.dk: DNS problem: SERVFAIL looking up CAA for politi.thetroubleshooters.dk, While processing CAA for mrtg.thetroubleshooters.dk: DNS problem: SERVFAIL looking up CAA for mrtg.thetroubleshooters.dk, While processing CAA for karate.thetroubleshooters.dk: DNS problem: SERVFAIL looking up CAA for thetroubleshooters.dk. Skipping.
My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:09
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
At least in this case, because the nameservers for this domain do not implement 0x20 mixed case, Let’s Encrypt’s resolver goes into “capsforid fallback mode”, observes that your nameservers respond differently to the same query, and fail the entire lookup.
Any other way to fix this problem, I am not able to contact my DNS provider (they’re not responding) atm and the domain registra doesn’t allow me to remove one name server, as they collect the set from the primary DNS…
Well, you can just keep retrying. There’s only a partial chance that it’ll fail on every attempt.
(Edit: actually, looks like you managed to “fix” it by adding an CAA record? So the bad authority section is no longer sent. But querying for any other non-existent record will still produce the issue, e.g. AAAA).