Renew Produced an Unexpected Error

My domain is:

I ran this command: sudo certbot renew

It produced this output:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "" and 7 more identifiers failed. Refer to sub-problems for more information. Skipping.

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): MacOS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.37.1

So as I've been using this service to get SSL certs for many domains for a few years now but as of mid october, this domain has been unable to renew. It's giving me this weird error that I don't understand. I have made no changes to my dns setup or my certbot script setup. I'm not sure why this has stopped renewing, and even more strangely, all my other domains keep renewing without any issue.

I don't think it's anything you can control.
Search through this site for recent entries for "DNS" and "HOVER.COM".

Also, if you want the nitty gritty failure details see:


There is also this post from 4 days ago:


Looks like it indeed.

Unbound 1.16: all good (

Unbound 1.18: SERVFAIL (

Adding a CAA RR for the failing hostnames should work. Or change to a more RFC conforming DNS provider.

Note that for the hostname the DNS query on 1.18 doesn't fail, because the SOA RR is send with the NOERROR reply. But for the t subdomain the SOA RR is NOT send, leading to this SERVFAIL.


And in case you hadn't seen it yet, here's the official announcement of what changed:

You may want to mention it in a support ticket to or the like. They don't need to support CAA records (from reading other threads, it looks like they don't), but they do need to support sending a correct "no record found" response.


If you try it in Staging as-is, we're running Unbound 1.19 there. If that solves the problem, that'd be very useful to know for timing purposes.


It would also be great if @jsha had some time to add 1.19 as an option to Unboundtest.


So curiously,'s cert renewed last night. But I just ran the unboundtest and it still "fails" the same way it was before. Which suggests didn't make any changes. Did LE?

1 Like

Yes, Let's Encrypt upgraded to Unbound 1.19 yesterday.

Unboundtest hasn't been updated to offer it yet.


Oh I thought word was that was potentially weeks away.

1 Like

Yeah, they decided to throw caution to the wind and hope that it solved more problems for people than it might cause. :slight_smile:

Really as far as I can tell the DNS systems that Unbound 1.18 wouldn't resolve are still "wrong", but it appears that 1.19 is (at least in some cases) allowing them to get away with it still anyway.


I did create a support ticket for hover and i have not heard back one way or the other.


According to this article hover use an outdated version of PowerDNS, possible V3 or lower, possibly customised. It apparently doesn't support CAA records:

I raised this discussion with the PowerDNS devs/community to see if they know anything (I used your example domain since it was already published here, hope that's ok): Are SOA results returned for CAA queries where no CAA record exists? · PowerDNS/pdns · Discussion #13657 · GitHub


Quite alright. All advertising is good advertising :stuck_out_tongue:

Oh wait on second thought, the "t." subdomain is a new site i'm working on that isn't live yet. A better subdomain to use if by chance anyone reading this needs use my site as an example in the future would be and/or The new modern mobile site and tablet site are both under construction.


There's no thing as "bad press"!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.