Articles in this section

Issuing a Let's Encrypt certificate in Plesk fails when using external DNS: DNS problem: SERVFAIL looking up CAA for example.com

Julian Bonpland Mignaquy
Updated
kb: technical ext: sslit

Symptoms

  • An attempt to issue a Let's Encrypt certificate in Plesk fails with the following error:

    CONFIG_TEXT: Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/170110130/120505529288.

    Details:
    Type: urn:ietf:params:acme:error:caa
    Status: 403

    Detail: Error finalizing order :: While processing CAA for example.com: DNS problem: SERVFAIL looking up CAA for example.com - the domain's nameservers may be malfunctioning

  • External DNS service is being used to host the domain DNS Zone.

Cause

External DNS server does not process CAA requests correctly and SERVFAIL is returned instead of NOERROR.

Resolution

  • Contact DNS server administrator to address the issue.
As workaround:

  • Add a CAA record like below example into the externally hosted domain DNS zone:

    CONFIG_TEXT: example.com. CAA 0 issue "letsencrypt.org"

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.