SERVFAIL looking up CAA

[QooGeek]

curl https://get.acme.sh | sh -s email=my@example.com

./acme.sh --issue --dns dns_aws --ocsp-must-staple --keylength ec-384 -d domain -d '*.domain'

debug log

  "identifier": {
    "type": "dns",
    "value": "domain"
  },
  "status": "invalid",
  "expires": "2024-05-15T04:26:19Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "During secondary validation: DNS problem: SERVFAIL looking up CAA for domain - the domain's nameservers may be malfunctioning",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/348065743877/CJdeZQ",
      "token": "xxxxxxx",
      "validationRecord": [
        {
          "hostname": "domain",
          "resolverAddrs": [
            "10.0.12.111:30554"
          ]
        }
      ],
      "validated": "2024-05-08T04:26:58Z"
    }
  ]
}'

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[webprofusion-chrisc]

Looks like a temporary problem with your domains nameservers. They have returned a SERVFAIL when Let's Encrypt tried to check your DNS for a CAA record.

This is not a bug in acme.sh - if the problem persists share your domain details on https://community.letsencrypt.org/

[frantique]

The problem is that you tried to request an issuance for the domain called "domain".

[QooGeek]

@webprofusion-chrisc @frantique Thanks a lot for reply My domain name is topcf.club