Error: "We could not provision a Let’s Encrypt certificate for your custom domain."

I’ve managed to set up proper DNS records. The site is:

optimistic-raman-cbe762.netlify.app linking to http://retur.camillebrinch.dk/

But I can’t provision the SSL certificate. I’ve attached screenshots of the proces here. Other posts state how this seems to work after a week or so, but I’ve tried for a bit over a week now with zero succes. I hope someone here can spot the errors.

Screenshot 2020-09-28 at 09.36.03|690x333
Screenshot 2020-09-28 at 09.36.15|690x247
Screenshot 2020-09-28 at 09.36.21|633x257

Hi, @lssrvn, the SSL certificate isn’t updating because of the following error:

DNS problem: SERVFAIL looking up CAA for camillebrinch.dk - the domain’s nameservers may be malfunctioning

I’ve not seen this error before but I do see errors instead of an answer when making the DNS query. For example, here is a URL for a looking using dig via a public Google web UI app:

https://toolbox.googleapps.com/apps/dig/#CAA/camillebrinch.dk

I can confirm that the DNS error is the reason for the SSL certificate provisioning failure but I don’t know why the DNS error is happening. I would recommend contacting the DNS service for this domain to get their assistance in resolving the DNS error.

​Please let us know if there are other questions about this.

@lssrvn Welcome to the Netlify community.

I’m with @luke – there’s something odd going on with your DNS.

Whois returns no DNS server for your FQDN, but dig shows DigitalOcean.

Your A record seems to point to Shopify instead of to Netlify’s load balancer IP address.

Your server returns as Cloudflare.

However, your SSL certificate (for your apex domain) seems OK.

Have you seen this documentation?

Hi there Greg,

Thanks for getting back.

Our apex domain is a Shopify Store so I think that is set up as it should be.

We are however using “www.” In front of it - could that be causing the issue?

I’ve already configured the subdomain as described in the article you linked and that seems to work as well.

SSL is also working properly on our apex domain. It just for this subdomain that I can’t get it to work.

I’ve also done this on our www.camillebrinch.com shopify store with returns.camillebrinch.com and that also works fine. Only difference here is that the domain is managed by Shopify whereas the “.dk” domain is hosted by Digital Ocean.

@lssrvn You seem also to have A records for your retur subdomain pointing to your Netlify subdomain. I think you need only the CNAME entry, not the A-record entries.

Also, your Netlify site doesn’t seem to load fully no matter which URL I use, although that’s probably not creating an issue with the DNS … just with what visitors see (or don’t).

That sounds weird. I can only find that one CNAME record for the retur.camillebrinch.dk url. The “.com” domain is not loading because the store is not open yet (forgot to mention) but the SSL works fine there.

www.retur.camillebrinch.dk should load for every visitor, just not with a certificate.

Any other ideas to what might cause this?

@lssrvn It looks as though you are making progress. Your retur website now loads for me.

It should have loaded before as well. Are you sure you didn’t visit returns.camillebrinch.com instead? That isn’t published yet.

I think the A record relates to Shopify. I’ve talked with previously about certificates on subdomains (in relation to storing cookies) but back then they said they weren’t allowing this due to security reasons.

I think the “returns” subdomain was an artifact of auto-“correct.” When I type “retur” the browser / computer wants to “complete” it as “returns”.

The error at Let’s Encrypt can be seen here:

https://acme-v02.api.letsencrypt.org/acme/authz-v3/7538086137

Quoting that authorization attempt:

  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: SERVFAIL looking up CAA for camillebrinch.dk - the domain's nameservers may be malfunctioning",
        "status": 400
      },

The SERVFAIL is still happening. This can be seen currently with the DNS lookup below:

https://toolbox.googleapps.com/apps/dig/#CAA/camillebrinch.dk

Quoting that (currently as it can change):

id 27740
opcode QUERY
rcode SERVFAIL
flags QR RD RA
;QUESTION
camillebrinch.dk. IN CAA
;ANSWER
;AUTHORITY
;ADDITIONAL

It is the rcode SERVFAIL for this DNS lookup which is root cause of SSL certificate provisioning not working.

Again, the key is this:

  • Until the SERVFAIL for the CAA record for the apex domain is fixed the Let’s Encrypt certificate cannot be issued.

That is 100% the root cause.

As Netlify doesn’t control the DNS for this custom domain, one solution is to contact the DNS service about that SERVFAIL error.

You might also just create a CAA record to resolve the error. There is more about what Let’s Encrypt requires for a CAA record here:

https://letsencrypt.org/docs/caa/

There is a tool to generate CAA records here:

https://sslmate.com/caa/

For example, a CAA record like this:

camillebrinch.dk.	CAA	0 issue "letsencrypt.org"

Again, though, if the existing CAA record query didn’t error (and returned a SOA record instead) this would also resolve the issue. Meaning, an empty CAA record doesn’t block Let’s Encrypt, but an CAA record with a SERVFAIL error will.

The workaround above is to create a CAA record to avoid the error. Also, to clarify, the DNS error isn’t at Netlify it is with the DNS service.

​Please let us know if there are other questions about this.

Turns out we had a CAA record authorizing amazon.com to provision certificates. Removed this and that solved the error.

Jesus, what a nightmare :slight_smile:

1 Like