Certbot failed to authenticate

Randomly certbot started to fail to automatically renew my TLS certs.

I get the following error in the email:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.scrncheat.com
Type: dns
Detail: During secondary validation: While processing CAA for mail.scrncheat.com: DNS problem: looking up CAA for mail.scrncheat.com: DNSSEC: DNSKEY Missing: validation failure <mail.scrncheat.com. CAA IN>: key for validation mail.scrncheat.com. is marked as invalid because of a previous No DNSKEY record

I’ve run “sudo mailinabox” again and tried to manually reprovision, but get the same error.

Appreciate any help!

It happened before, perhaps that topic will help you?
In the meantime:

  • Do you manage DNS manually or are you letting the box handle it?
  • Do you have dnssec enabled?

Disable dnssec at registrar and try again. Then reenable and try.

Manage DNS manually via Cloudflare.

I do.

Thanks for this, this solved it. I wasn’t sure what to set the CAA record to.

Thing is, you shouldn’t have to, because it’s not mandatory. However, as Lets encrypt also notes (see bottom of that page, CAA errors) If the dns server replies incorrectly, you might also receive this. I would expect that cloudflare does not have this issue.
On the other hand, setting the CAA record should not hurt of you don’t do anything complex with https certificates.

I wonder if I’ve setup MiaB incorrectly for using an external DNS provider?

The real question would be “I wonder if I have set up my external DNS incorrectly?”

Nothing is done on the MiaB side, other than learning what errors/warnings to ignore on the status page.

I exported, and imported all the details given within MiaB into Cloudflare. The SOA is managed by Cloudflare themselves. I’m not sure what I’ve configured incorrectly.