Creating SSL certificate with certbot when droplet is a subdomain and root domain has SSL

So my problem is this: I have a root domain which is from 1&1 (Ionos) and that has its own SSL certificate. I also have another server running an application using Digital ocean which also needs an SSL cert. But because this server is a subdomain, certbot just spits this error out whenever I attempt to create a new cert.

sudo certbot --nginx -v

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: chat.crypto******.com

Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel): 1 Requesting a certificate for chat.crypto******.com Performing the following challenges: http-01 challenge for chat.crypto******.com Waiting for verification… Challenge failed for domain chat.crypto******.com http-01 challenge for chat.crypto******.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Domain: chat.crypto******.com Type: dns Detail: DNS problem: SERVFAIL looking up CAA for - the domain’s nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges Some challenges have failed. Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Dont split but add ssl to subdomain it self or assign another SSL certificate

Dont split but add ssl to subdomain it self or assign another SSL certificate