Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mhanj.org
I ran this command:
certbot renew --cert-name www.mhanj.org ...
It produced this output:
1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.mhanj.org Type: dns Detail: DNS problem: looking up CAA for www.mhanj.org: DNSSEC: Bogus
My web server is (include version): httpd-2.4.6-97.el7
The operating system my web server runs on is (include version): CentOS Linux release 7.8.2003
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 1.7.0
I've found multiple posts on the same topic (eg. Error when trying to create ssl cert). DNSSet was recently enabled on the domain (noted above) with DNS hosted at Network Solutions. Since then, we've been unable to renew the certificate.
I've tried adding a CAA record:
$ dig caa mhanj.org. @ns46.worldnic.com. +short 0 issue "letsencrypt.org" $
but this doesn't seem to have helped. The GUI (control panel?) for Network Solution DNS does not appear to permit one to enter a CAA for any name in a domain other than
@. Note that
www.mhanj.org is its own A record rather than a CNAME to
@, in case that is significant.
Is the only solution to disable DNSSEC? Might switching from http-01 to DNS authorization (using
acme.sh) work better, or would this have the same issue? Is there a better solution?