Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: blog.lublu.nl
I ran this command: Let's Encrypt Plugin via cPanel.
You don't need any A/AAAA records to obtain a cert via DNS-01 challenge.
That said, all FQDNs must first pass CAA checks.
It seems there is some issue with the authoritative DNS servers and their response to the existence (or lack there) of any CAA records in your zone.
Does your DNS Service Provider (DSP) support CAA records?
[Wherever you can create new records in your zone, do you see an option for "new CAA record"?]
I'm thinking that if they do (highly likely), you could just add an entry to replicate the current outcome and have it allow any CA to issue certs for your domain.
Like: 0 issue "*"
OR 0 iodef "mailto:your@email"
Just to see if having an entry as opposed to the current "empty" entry makes any difference in this case.
If so, then we need to better understand exactly which DNS system (and version) they are using; as this may very well be a bug in their DNS system.
Or, seeing as all the certs that have ever been issued for your domain have come from LE (thanks for that), you could also take this opportunity to lockdown your domain CAA record to the CA that you would expect to be allowed to issue certs for your domain ("LE") and put that entry to some real work!
Like: 0 issue "letsencrypt.org" 0 iodef "mailto:your@email"
Again, my interest here is trying to understand where the DNS problem exists and what might be a simple workaround to overcome it.
Unfortunately, even within the few domains that I haven't ever added any CAA records to, none of them are showing this problem. So, I think it is likely a problem within the DNS software the DSP is using.