Knowledge Base

Issuing a Let’s Encrypt certificate in Plesk fails when using external DNS: DNS problem: SERVFAIL looking up CAA for example.com

Symptoms

An attempt to issue a Let's Encrypt certificate in Plesk fails with the following error:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/170110130/120505529288.
Details:
Type: urn:ietf:params:acme:error:caa
Status: 403
Detail: Error finalizing order :: While processing CAA for example.com: DNS problem: SERVFAIL looking up CAA for example.com - the domain's nameservers may be malfunctioning
External DNS service is being used to host the domain DNS Zone.

Cause

External DNS server does not process CAA requests correctly and SERVFAIL is returned instead of NOERROR.

Resolution

Contact DNS server administrator to address the issue.

As workaround:

Add a CAA record like below example into the externally hosted domain DNS zone:
example.com. CAA 0 issue "letsencrypt.org"

Related Posts

DNS_PROBE_FINISHED_NXDOMAIN: What Is It And How To Fix The Problem

Podcast | Self-Hosted vs. Hosted eCommerce Sites

Setting up Your Ideal Web Development Environment With Plesk Essentials

Knowledge Base

Unable to install Let’s Encrypt certificate for the domain hosted in Plesk: SERVFAIL looking up A for example.com

Let’s Encrypt certificate installation/renewal fails for a domain in Plesk: Incorrect TXT record found at _acme-challenge.example.com

Unable to issue Let’s Encrypt certificate for domain in Plesk: misconfiguration of the Common Challenge Directory

Cannot issue wildcard Let’s Encrypt certificate in Plesk: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.example.com

Hosting Wiki