Security Certificate Won't Auto-renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: AutoSSL

It produced this output: MASTER DCV: DNS problem: SERVFAIL looking up CAA for - the domain’s nameservers may be malfunctioning (urn:acme:error:dns)

My web server is (include version): Bluehost, shared,box5845, Apache 2.4.39

The operating system my web server runs on is (include version): Linux with cPanel

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I don’t know what this means

I’m a novice. Building a website with and a customizable theme. I have been rolling along for months and now am getting messages that my SSL certificate has expired. I checked the status and some auto-renewed, some did not. I know bits and pieces and my have moved something in ftp that I shouldn’t have when I was “exploring…” Help! Can I just copy the certificate from a domain that hasn’t expired and paste it into the domains that have? Thank you!

1 Like

Hi @clindykersey

are you the domain owner of That domain is buggy -

There is a Refused answer, that blocks checking the CAA of your subdomain.

If it is your domain, fix your DNS. A NoData should be send.

If you use only the subdomain, try to add a CAA with or

If one of these entries exist, the main domain isn’t checked.


X Fatal error: Nameserver doesn’t support TCP connection: / Refused
X Fatal error: Nameserver doesn’t support TCP connection: / Refused

terrible. Authoritative name servers must support TCP-connections.

There are some older Letsencrypt certificates. But they are created last year.

1 Like

It is my domain - created it years ago and I’d like to change it. It’s for a Community Youth Center project I worked on. I’ve been afraid to tackle that but I’ll start there. Back shortly.


There is a check of your subdomain -

That looks curious:

Both subdomains don’t have a Refused-answer.

Perhaps use

to create a CAA entry. Then the main domain isn’t checked.

1 Like

Related, probably:

# dig +short ns
# dig +short ns
# dig +short ns


# dig +nocmd +noall +auth ns          86400   IN      NS          86400   IN      NS
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.