I believe your providers DNS servers do not respond to CAA queries. This is needed for Let’s Encrypt so this needs to be fixed if it doesn’t get fixed you will not be able to use any Certificate Authorities.
From September 2017 every certificate MUST CHECK for CAA records so your providers need to answer these.
I have used letsencrypt-win-simple too,and got the same result.
My old domain and old web server qd.zs139.com,also the DNS server don’t repond to CAA queries,But it can pass the verification.
There is a Reverse Proxy between my new web server and internet, does it metter?
The DNS server doesn't need to return a CAA record, it just needs to not return an error. In the case for the nameservers for zs139.com, they just return an empty answer with "NOERROR".
For the zj.chinamobile.com zone, the server returns a SERVFAIL, which is a problem for the lookup.