The error at Let’s Encrypt can be seen here:
Quoting that authorization attempt:
"detail": "DNS problem: SERVFAIL looking up CAA for camillebrinch.dk - the domain's nameservers may be malfunctioning",
The SERVFAIL is still happening. This can be seen currently with the DNS lookup below:
Quoting that (currently as it can change):
flags QR RD RA
camillebrinch.dk. IN CAA
It is the
rcode SERVFAIL for this DNS lookup which is root cause of SSL certificate provisioning not working.
Again, the key is this:
- Until the SERVFAIL for the CAA record for the apex domain is fixed the Let’s Encrypt certificate cannot be issued.
That is 100% the root cause.
As Netlify doesn’t control the DNS for this custom domain, one solution is to contact the DNS service about that SERVFAIL error.
You might also just create a CAA record to resolve the error. There is more about what Let’s Encrypt requires for a CAA record here:
There is a tool to generate CAA records here:
For example, a CAA record like this:
camillebrinch.dk. CAA 0 issue "letsencrypt.org"
Again, though, if the existing CAA record query didn’t error (and returned a SOA record instead) this would also resolve the issue. Meaning, an empty CAA record doesn’t block Let’s Encrypt, but an CAA record with a SERVFAIL error will.
The workaround above is to create a CAA record to avoid the error. Also, to clarify, the DNS error isn’t at Netlify it is with the DNS service.
Please let us know if there are other questions about this.