I have the same problem with several domains on several servers.
urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for
Stil not working??
I dont’t know about the dnssec but it does not matter if I try to renew or requesting a new cert. All are getting the same error (except for the domainame 
)
FailedChallenges: Failed authorization procedure. lekkervaren.vrouwejitske.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for lekkervaren.vrouwejitske.nl
I have this on several servers that already worked perfectly with Letsencrypt.
@jror: Your name servers are responding with SERVFAIL to all CAA queries:
dig -t type257 vrouwejitske.nl @ns1.alt255.nl
; <<>> DiG 9.8.3-P1 <<>> -t type257 vrouwejitske.nl @ns1.alt255.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29875
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;vrouwejitske.nl. IN TYPE257
;; Query time: 35 msec
;; SERVER: 109.106.160.213#53(109.106.160.213)
;; WHEN: Sun Jul 16 15:27:45 2017
;; MSG SIZE rcvd: 33
That’s not a standards-compliant response for a non-existing DNS record. If you’re running your own DNS servers, you’ll probably be able to fix this by upgrading to the latest release of your DNS software. If your DNS is hosted by a third-party, you’ll need to contact them and ask for this to be fixed, or you’d have to look into migrating to an alternative DNS provider that’s not misbehaving.
There’s no workaround for this issue on the Let’s Encrypt side of things.
Ok, thanx for your reply.
But what I not understand is why I never had this problem until last week, I already issued several certificates in the past/ last months with the same name servers.
I split this topic into its own thread since the root cause is different from the one you were initially replying in. Thanks!
We recently made an API Announcement that explains why this started breaking for you last week. That post has advice on remediation. You will need to contact your DNS hosting provider as mentioned by @pfg (Thanks!)
Thank you for your reply.
I have contacted my sysadmin and they are working on the problem.
1 Like
I created a handy tool that will allow you to directly check your domain against an Unbound server configured similarly to our production instance. Please try it out and let me know if you find it helpful: https://unboundtest.com/.
1 Like
Hi jsha,
Yep, very helpful, thanks!
good tool there @jsha
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.