We have a 3rd party vendor that runs one of our public websites. This vendor uses cPanel and issues SSL certs through that. We manage our DNS ourselves, so they are coming back to us with this error.
It's a warning but they are insisting it must be fixed.
The warning is:
WARN “Let’s Encrypt™” HTTP DCV error (www.redacteddomain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for www.redacteddomain.com- the domain's nameservers may be malfunctioning)
They are saying "you must create a CAA record for the domain www.redacteddomain.com" WWW is an A record, not a DNS zone, so there is no way to make a CAA record for it.
When we validate our CAA record for our domain redacteddomain.com it comes back as valid and includes letsencrypt
redacteddomain.com. 3600 IN CAA 0 iodef "mailto:email@example.com"
redacteddomain.com. 3600 IN CAA 0 issue "letsencrypt.org"
redacteddomain.com. 3600 IN CAA 0 issue "sectigo.com"
why are we getting this warning when a SSL cert for lets encrypt is renewed? What causes it? what do you do about it? our CAA appears to be correct for the domain.
You don't need to have a CAA record for your domain, but your DNS host needs to respond properly when asked for one. "There's no CAA record here" is a proper response. "What's a CAA record?" isn't. If your DNS host is giving SERVFAIL (i.e., "What's a CAA record?") when queried for the CAA record, it's very badly broken. Creating that record might solve the immediate problem, but the real solution is to use a less-broken DNS host.