I don't can create a ssl certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:motofo20.de

I ran this command:certbot

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: motofo20.de
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for motofo20.de - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

My web server is (include version):Ubuntu 23.04

The operating system my web server runs on is (include version): apache2

My hosting provider, if applicable, is: Digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): i use an ssh Connection

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

Just like it says: When checking the CAA record for your domain, your authoritative DNS servers are returning an error. CAA is an optional way to specify which Certificate Authorities are allowed to issue for your domain, and while you don't need to have a record, your DNS server needs to say that you don't have a record rather than giving an error.

DNSViz has a report of the problems: motofo20.de | DNSViz

You may also want to look through the Let's Encrypt documentation on CAA, especially the part about "CAA Errors":

What you need to do is have your DNS provider fix the problem.


So in my case digitalocean need to fix it ore becaus is my hoster and ther are all my Records

Your nameservers are nsv2.nitrado.de and nsv0.nitrado.net. I don't know if those are run by Digital Ocean, but I'd guess not.


Odd. When I first looked at your link's options it showed an Error and Warnings. But, I now see just Warnings. I still get a SERVFAIL from my own system so definitely still a problem.

Just wanted to note this in case someone else tries re-running DNSviz. In fact, if you don't select CAA record in its options you don't get any warnings at all.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.