Random LetsEncrypt errors on domain record lookups

Random domains are failing to validate when I try to renew certs - different domains each time.

All validation checks I've done suggest the domains are correctly configured and exist in a letsencrypt cert we already have.

The error message suggests it's a server side DNS timeout. Is there anything we can do to mitigate or resolve the issue?

Here is an example from a recent attempt:

Notifying user: 
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: consent.calmmoment.com
  Type:   dns
  Detail: DNS problem: networking error looking up CAA for com

  Domain: consent.gardensillustrated.com
  Type:   dns
  Detail: DNS problem: networking error looking up CAA for com

  Domain: consent.whodoyouthinkyouaremagazine.com
  Type:   dns
  Detail: DNS problem: networking error looking up CAA for consent.whodoyouthinkyouaremagazine.com

Hint: The Certificate Authority failed to verify the challenge files created by the --manual-auth-hook. Ensure that this hook is functioning correctly. Refer to "certbot --help manual" and the Certbot User Guide.

certbot args:

        certonly -n --agree-tos \
        --email CERTBOT_EMAIL \
        --server https://acme-v02.api.letsencrypt.org/directory \
        --key-type rsa \
        --manual --manual-public-ip-logging-ok \
        --preferred-challenges http \
        --manual-auth-hook ./auth.sh \
        --manual-cleanup-hook ./cleanup.sh \
        -d consent.calmmoment.com [-d ....] \
        --config-dir ./config \
        --work-dir ./work \
        --logs-dir ./logs \


1 Like

I wonder if this is related to the DNS software upgrade they're doing

They don't have anything posted on the status page, though. I'm not sure if the expected time is now or 23½ hours from now.


Hi @eric-at-sourcepoint, and welcome to the LE community forum :slight_smile:

Please try testing with the staging environment.
Just add "--dry-run"


Hi @rg305

I tried running with --dry-run three times. All three reported The dry run was successful.

The dry-runs ran considerably faster so I'm not sure they did all the dns checks the prod environment does - but it did work.

It's possible retrying several times will result in a cert from the prod environment - but I want to avoid this unless it's just us experiencing the issue.

That's good news.

That's even better news!

They do - [they have to].

It's worth the try - I would.
That said, be careful not to exceed the posted rate limits:
Rate Limits - Let's Encrypt (letsencrypt.org)


hi @petercooperjr

Reading the linked thread, the issues I am having look similar to the ones reported there.

It sounds like the fix is being deployed to prod tomorrow?

1 Like




thanks for the warning @rg305

I'll monitor the thread linked by @petercooperjr for updates on the prod release tomorrow.

thanks everyone!


We've delayed the rollout of Unbound 1.18 because that upgrade caused issues for at least one subscriber, who fixed their setup. So I'm rolling it out again tomorrow.

This would be new information that the Unbound 1.18 (in Staging for a while) fixes an existing production issue rather than surfaces new ones, but that would be welcome.


LetsEncrypt is no longer reporting DNS network errors at random for any of the certs we've requested.

We are able to get certs without CAA lookup errors on TLDs like .com and .es.

thanks for everyone's help!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.