Http-01 challenge always pending for particular domain


I’ve been gradually requesting certificates for a few thousand domains, which is going very well. However, out of all of them, I’m having trouble with just one -

This domain correctly returns NOERROR for CAA queries on the sub and parent domain, and doesn’t appear to have any strange situations with inaccessible AAAA or DNSSEC issues. I’m stumped!

Why does this challenge never move forward?



What tool are you currently using?

Thank you

This is a custom implementation based on

Can you provide more detail on (or logs showing) the trouble?

FYI: Let's Debug CNAME to

This is great, thanks! I didn’t know about this tool’s existence. So the next logical question is, why does it show SERVFAIL when the authoritative servers do not? Are the responses cached externally for some period of time by LetsEncrypt?

$ dig CAA
; <<>> DiG 9.10.6 <<>> CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59789
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available

Never; LE doesn't cache anything DNS.

Same IP for both name servers?
Name: Address:
Name: Address:

That's pretty entertaining (and a bad idea), but I don't think it's a violation of any standard (full disclosure, I'm not the registrar). zone: The server(s) were not responsive to queries over TCP.

Ah ha! So LetsEncrypt uses TCP queries for DNS?

I can reproduce with

dig +tcp CAA
;; Connection to for failed: connection refused.

In fact, the same IP for both nameservers is a violation of IANA requirements.

1 Like

Hi @rokclimb15

Good catch @rg305, thanks!

Not by default, but for cases where the response is larger than 512 bytes (our advertised edns buffersize value) there will be a truncated response from the authoritative nameserver and we will retry the query over TCP.

I suspect that's what is happening here, dig +norecurse shows big authority/additional information sections in the answer. Delivering a truncated answer without supporting TCP queries will result in the Let's Encrypt issuance problems you've observed.


Thanks @rg305 and @cpu for your help. I’ve advised the domain owner to choose a registrar with compliant DNS servers.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.