I did some further troubleshooting and found the challenge is http based, not DNS.
2023-02-21 17:36:04,693:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/205283304466 HTTP/1.1" 200 989
2023-02-21 17:36:04,693:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 21 Feb 2023 15:36:04 GMT
Content-Type: application/json
Content-Length: 989
Connection: keep-alive
Boulder-Requester: 974507376
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: C4004bMFBrI7J3cHWwteUP5_txN8yKYe5S06-xgXBr5aQF8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "box.treelet.email"
},
"status": "invalid",
"expires": "2023-02-28T15:35:58Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: SERVFAIL looking up CAA for treelet.email - the domain's nameservers may be malfunctioning",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/205283304466/B1bnow",
"token": "0PLxwtgueQObsnXnfMUnXX29ZsM2kOo06psHs2ffneQ",
"validationRecord": [
{
"url": "http://box.treelet.email/.well-known/acme-challenge/0PLxwtgueQObsnXnfMUnXX29ZsM2kOo06psHs2ffneQ",
"hostname": "box.treelet.email",
"port": "80",
"addressesResolved": [
"3.66.149.70"
],
"addressUsed": "3.66.149.70"
}
],
"validated": "2023-02-21T15:35:59Z"
}
]
}