Issuing a Let’s Encrypt certificate in Plesk fails when using external DNS: DNS problem: SERVFAIL looking up CAA for example.com

Dmitry Bystrov

7 months ago

Symptoms

An attempt to issue a Let's Encrypt certificate in Plesk fails with the following error:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/170110130/120505529288.

Details:
Type: urn:ietf:params:acme:error:caa
Status: 403

Detail: Error finalizing order :: While processing CAA for example.com: DNS problem: SERVFAIL looking up CAA for example.com - the domain's nameservers may be malfunctioning
External DNS service is being used to host the domain DNS Zone.

Cause

External DNS server does not process CAA requests correctly and SERVFAIL is returned instead of NOERROR.

Resolution

Contact DNS server administrator to address the issue.

As workaround:

Add a CAA record like below example into the externally hosted domain DNS zone:

example.com. CAA 0 issue "letsencrypt.org"

0 Shares

Exit mobile version