New Certificate application failed always

We are using certbot to help our customers new and renew certificates.
All works well while there's one domain that cannot apply the certificate successfully. Can you please help investigate this?

Thanks, Jean

1 Like

Your thread is more suitable for the Help section instead of the Client dev category. (As it has nothing to do with development of an ACME client..) I have moved your thread accordingly.

If you would have opened this thread in the Help section, you would have been provided with a questionnaire. Please fill out the questionnaire below to the best of your knowledge:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

That said, it seems there's something not correcr with the DNS CAA resolving for your website. See: Let's Debug and e.g. | DNSViz


Yeah, the two A addresses point to AWSGlobalAccelerator. This is often used for URL redirect services (like with GoDaddy). The URL Redirect service needs to be disabled and the A record IP pointed directly to their server.

A URL Redirect service would also explain why we see this cert for their HTTPS even though they have a valid DigiCert cert available.

openssl s_client -connect

subject=CN = sni-support-required-for-valid-ssl
issuer=CN = sni-support-required-for-valid-ssl
notBefore=Jul 12 10:32:02 2023 GMT
notAfter=Jul  9 10:32:02 2033 GMT

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.