I just had to update my letsencrypt certificates manually
for my CloudFlare “dns only” entrys and got the LetsEncrypt Error that the Certificate could not be renewed becouse i did not had a CAA entry for my “DNS Only” subdomain in Cloudflare.
This Problem did not happened a few Days ago.
My LetsEncrypt Certificate for my DNS Only Subdomain
could be renewed without any problems some days ago !
It looks like lets encrypt and others CA switched to ask DNS Services like Cloudflare
for CAA Entrys before they renew any Certifactes from now on.
See this Reply here from LetsEncrypt Engineer !
The problem is that when we ask your authoritative DNS server “Hey do you have a CAA record for this domain?” instead of saying “Nope, no record!” it says “SERVFAIL”.
You need to contact your DNS provider to have them fix this error. Soon all CA’s (not just Let’s Encrypt) will be required to ask your DNS server about CAA before issuing and this will cause problems until fixed by your provider.
There isn’t presently a way to bypass this error except having your DNS provider fix this problem or switching to a DNS provider that doesn’t return SERVFAIL instead of a non-error reply.
I have now Created a CAA Entry for my “DNS Only” Subdomain in Cloudflare DNS
sudomain.domain.com. CAA 0 issue letsencrypt.org
and could fix the Problem with Letsencrypt.
Now the Certificates for the DNS Only Subdomain is renewed again without any problems.
You may sooner or later get big Problems like me becouse of failed Certificate renewals
if you dont have a CAA Entry for your DNS Only Subdomains.