Symptoms
When AutoSSL is run, it fails on certain domains with one of the following errors:
“Let’s Encrypt™” DCV error (domain.com): DNS problem: SERVFAIL looking up CAA for domain.com
“Let’s Encrypt™” HTTP DCV error (domain.com): urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (During secondary validation: While processing CAA for domain.com: DNS problem: looking up CAA for domain.com: DNSSEC: Bogus: validation failure <domain.com. CAA IN>)There was a problem with a DNS query: (During secondary validation: While processing CAA for domain.com: DNS problem: SERVFAIL looking up CAA for domain.com - the domain's nameservers may be malfunctioning)
In each of the above AutoSSL failures, the check was specifically failing due to the CAA Record on a domain returning a SERVFAIL response during a DNS check.
Workaround
A CAA record is not required on a domain, as the lack of a CAA record indicates that there are no restrictions on which Certificate Authority is able to issue an SSL certificate for your domain.
However, in some cases, the nameserver that handles DNS for your domain may return a SERVFAIL when no CAA record is present on a domain instead of sending the "NOERROR" flag. This causes a failure in AutoSSL, as a SERVFAIL response from the nameserver indicates that there was an error in the request.
To resolve this, you must add a CAA record on your domain with the value "letsencrypt.org".
For further information regarding CAA records, please see the following:
Comments
0 comments
Please sign in to leave a comment.