Lets Encrypt renewal errors for domains on Cloudflare DNS: DNS problem SERVFAIL looking up CAA the domain's nameservers may be malfunctioning

I am attempting a renew a cert with a number of subdomains. When doing so, I get a version of this error every time (using example.com in place of all domain names)

Error finalizing order :: Rechecking CAA for “example.com” and 10 more identifiers failed. Refer to sub-problems for more information. It errors for different domains every time.

The log subproblems look like this:

{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for example.com: DNS problem: SERVFAIL looking up CAA for example.com - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “example.com
}
},

The DNS entries are not proxied, and I’ve done this same renewal many times before. Is this indicative of a DNS problem on Cloudflare’s side?

DNSSEC?

What’s the domain?

The failing subdomains are all on *.anet.live. An example of one that has failed once but not other times is pvpnew.anet.live. But every time I try to renew, between 3-10 of 83 domains fail.

You said domains, are these proper domains or hostnames?

anet.live doesn’t have any CAA entries set up right now, but the nameservers do not respond with an error either. You may need to configure an appropriate CAA entry, if you want to issue the certificate. Did you do this?

I am provisioning a LetsEncrypt cert via the certbot command on an outside server. Most of the 83 domains in the cert are subdomains of *.anet.live, but the only ones producing the stated errors are *.anet.live subomains. They all have DNS A records in cloudflare,

An example of the DNS entry in cloudflare.

I do not think I need to do anything new as the exact command I’m running has worked many times before.

You are saying domains, but yet you are showing screenshots of hostnames.

And the message you posted refers to a CAA check, which can’t validate as you did not configure such an entry.

I would clarify this with Let’s Encrypt and what you exactly need to do here. Cloudflare sends a proper response

$ dig @duke.ns.cloudflare.com anet.live CAA

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45722

Maybe try setting up a specific CAA entry for that hostname (it should also work on a hostname level)

Thanks for your help. I do not understand why a CAA record is needed. I have been renewing these domains for years, and this problem has never popped up I will repost this on the LetsEncrypt community. If there is nothing wrong on the Cloudflare DNS side, then it has to be on the LetsEncrypt side.

The message you posted refers to CAA, so that would suggest they do check for CAA but it does not work - for whatever reason.

You don’t seem to have configured any CAA entry, so it wouldn’t surprise if it complained about that. What surprises me is the error. That would usually suggest a DNSSEC issue, but you don’t have you domain signed either.

At this point I’d really clarify this first with Let’s Encrypt, maybe they have some insight.

I posted this question in the LE forum, and the consensus is that this might be some kind of rate limiting problem: LetsEncrypt renewal error - Error finalizing order :: While processing CAA, SERVFAIL looking up CAA - #5 by mcpherrinm - Help - Let's Encrypt Community Support.

Also, the error I posted just means that there is a DNS checking problem. It’s not CAA-specific. It just means it had trouble validating the DNS.

Why this hasn’t happened before, I don’t know. And hard to know where the exact problem is. But if it continues, they suggest creating smaller cert batches (e.g. 40 at a time instead of 100).

1 Like

I think it may have already been suggested in the Let’s Encrypt Community, but reducing the number of domains* in the certificate may help. I have seen similar topics (including the misleading CAA verbiage in the error) recently in the Let’s Encrypt Community. While the hard limit is 100 SANs in an LE cert, problems like you describe have been cropping up with fewer names, although like yours, they have been quite high.

* (I am using domain in the Let’s Encrypt parlance that refers to a name covered by a SAN.)

1 Like

Thanks for passing along your experience @epic.network. Fewer SANs per cert and more Let’s Encrypt certificates it is!

1 Like

Let us know if it works. I’m tracking the conversation both here and there.

That’s precisely what I was referring to. And mcpherrinm also suggested creating a CAA entry.

Generally, Cloudflare should be relatively generous when it comes to DNS queries, so I’d be surprised if that was a rate limiting, but it’s certainly worth a try.

Also, if you really have a number of hostnames which may run into rate limiting, I’d definitely rather use a wildcard certificate, than have specific certificates for each hostname.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.