Subdomain on different server/IP


Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
certbot-auto certonly --webroot -w /var/www/html -d --email --agree-tos

It produced this output:
`Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for

 - The following errors were reported by the server:

   Type:   connection
   Detail: DNS problem: query timed out looking up CAA for`

My operating system is (include version): CentOS 7

My web server is (include version): Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16

My hosting provider, if applicable, is: –

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


CAA is a DNS record type that allows domain owners to record their policy about Certification Authorities. If a domain says Let’s Encrypt mustn’t be used, the Let’s Encrypt system will automatically reject requests for that domain. This is a voluntary safeguard.

In your case, when Let’s Encrypt tried to ask about CAA the DNS system for didn’t reply at all to a request for this record, neither to say there isn’t one (in which case Let’s Encrypt would issue) nor to say here it is (in which case Let’s Encrypt would examine the CAA to decide if it’s permitted to issue). Not replying at all is an error, you may need to talk to the people who control DNS for to ensure they’re running an up-to-date DNS server and that it understands how to deal with a CAA query, whether with a response or to say no there is no CAA record.


I spoke with the hostmaster at the company which is authoritative DNS for our domain ( They didn’t have a clue what I was talking about. (“Not familiar with the CAA record…”).
I can see that querying i.e. Google’s DNS for TYPE 257 on the host in question returns “SERVFAIL” (which, I understand is accepted by Let’s Encrypt). But querying our DNS supplier indeed times out. :frowning:

The strange thing is that I have already succeeded in creating and deploying certificates for another host in the same domain:, and another domain hosted at the same company: The only difference between those and this third domain is that those are actually hosted on virtual servers at the same company that supplies DNS, whereas is physically hosted elsewhere.

Any guess why those succeeded the this third does not?


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.