DNS problem: SERVFAIL looking up CAA

sfkHooper · October 14, 2017, 4:17am

I’m a newb MIAB user. Out of the box, MIAB just worked for me. On day one I setup a TLS certificate provisioned from Let’s Encrypt. I thought that it would automatically regenerate itself, but it didn’t, and now when I try to manually provision one I get the error “DNS problem: SERVFAIL looking up CAA for fleckmail.com”

MIAB is running on a Digital Ocean VM running Ubuntu 14.04.

I’ve got no idea how to tackle this issue. Any advice would be greatly appreciated.

just4t · October 14, 2017, 10:09am

Guessing the domain you want to provision/ renew a Let’s Encrypt certificate is: fleckmail.com you need to add a custom CAA DNS record as follows:

Domain name: fleckmail.com
Record Type: CAA
Value: 0 issuewild “letsencrypt.org”

JoshData · October 14, 2017, 12:15pm

CAA records are completely optional – setting a CAA record has nothing to do with provisioning a Let’s Encrypt certificate. The error most likely indicates a general DNS error (see this).

@sfkHooper: Are you using your Mail-in-a-Box for DNS (or are you using external DNS)?

sfkHooper · October 15, 2017, 1:31am

Thanks @just4t, this is exactly what was required. An instant fix to the problem.

sfkHooper · October 15, 2017, 1:32am

Yes, using MIAB for DNS. @just4t had the right answer in my case. Thanks.

JoshData · October 15, 2017, 11:59am

Ok. You two are probably the only two people who set CAA records. For everyone else Let’s Encrypt is working fine without them.

just4t · October 15, 2017, 3:17pm

Sounds good, too …

just4t · October 16, 2017, 2:26am

@JoshData Here some links about that may be of help, too:

This one confirms CAA record(s) are not mandatory.
But this one let us know: the DNS Server software must be updated so that it doesn’t return an error when asked about CAA.

Hope this helps.

alento · January 1, 2020, 11:34pm

Sorry to necro an old thread, but the topic has arisen again, and I have insight to the problem and a solution. Of course @just4t 's solution also works.

This happens on a MiaB install that is NOT hosting email for the root domain.

For example - box.testbox.com is hosting email (due to either a user or alias being added) for user@box.testbox.com but there are no email addresses added for user@testbox.com.

What is happening in this case is that the LE issuance process is doing a dig of the authoritative name server (ns1.box.testbox.com) and being refused a record. Not stating that there is NO record, but REFUSING to provide the record (because it does not exist as the domain testbox.com’s DNS is not being provided by the MiaB install.)

This breaks LE’s certificate issuance process.

The solution is to add a user or alias for the root domain, and then the box will update accordingly returning no record found rather than refused.

@JoshData Just in case this is new information for you … as this is still an issue with v 0.43.

tanc · March 18, 2020, 9:12am

I was also having this exact problem with a new MIAB set up where I didn’t have a user for the root domain. Adding an alias for the root domain allowed letsencrypt to provision successfully. Thank you for posting a solution.