Trouble with Issuing Certs Due CAA


I am having problems renewing certificates, my site shows that SERVFAIL looking up CAA for

Performing the following challenges:
http-01 challenge for
Waiting for verification…
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.


Do I need to place something into the CAA records for my domains?

The problem seems to be with DNSSEC.

Hi @Uneschewed

looks like you have already fixed the problem.

There is a new Letsencrypt certificate ( ).
expires in 90 days - 1 entry

The tool doesn’t see a DNSSEC error, perhaps it was a temporary problem.

But you should create one certificate with both domain names.

And there are a lot of cPanel-certificates.

PS: No, I see the same problem (didn’t read the output complete).

There is an NSEC that confirms that no www version exists.
	DS-Query in the parent zone has a valid NSEC RR as result with the domain name between the NSEC-Owner and the NextOwner. So the parent zone confirmes the non-existence of a DS RR.

But you have created a www entry.

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
AAAA yes A yes 1 0
AAAA yes

So it looks that your DNSSEC isn’t updated.


There’s a wildcard A record, and also an NSEC record saying that no subdomains – the wildcard, www or anything else – exist.

Epik needs to run sudo pdnsutil rectify-zone – or sudo pdnsutil rectify-all-zones and ensure that zones are automatically rectified in the future.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.