DNS Error when renewing Lets Encrypt Certbot

Related Post, but I’ve since contacted Let’s Encrypt regrading this error.

Kindly check this thread with LetsEncrypt’s support

I’m now getting the following error after running: sudo certbot renew

 - The following errors were reported by the server:

   Type:   dns
   Detail: DNS problem: SERVFAIL looking up CAA for
   - the domain's nameservers may be malfunctioning

But the thing is, I’ve already added in the CAA record to allow, and my records are correct.

They’ve also informed me that there’s something odd with my NS records. I did have two extra NS records before but I’ve since deleted them over 6+ hours ago. I don’t think the DNS has been refreshed since the LetsEncrypt support informed me that there’s still something odd about the NS records.

You can try running: dig +trace

and the following log will appear:     60536   IN      NS     60536   IN      NS
;; Received 96 bytes from in 108 ms     60536   IN      NS     60536   IN      NS
;; Received 96 bytes from in 148 ms     60536   IN      NS     60536   IN      NS
;; Received 96 bytes from in 196 ms     60535   IN      NS     60535   IN      NS
;; Received 96 bytes from 2400:cb00:2049:1::adf5:3b29#53( in 196 ms         3600    IN      A     43200   IN      CNAME
;; Received 77 bytes from 2400:cb00:2049:1::adf5:3b29#53( in 196 ms

Can this issue be fixed immediately? Thank you.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hello, @angelovillasant

Keep in mind that all DNS changes might take up to 48 hours in order to fully update. This is due to ISP DNS cache and general DNS propagating as well. This usually happens a lot faster but will still take at least few hours to fully update.

You can check the DNS records with our DNS tool:

You can also monitor the DNS propagation using this site:

It will show you a DNS record check from various points around the world. This will help you to see if there is a DNS misconfiguration or if it’s just the DNS slowly updating.

I will recommend you to wait for an hour or two before running the renew command again:

sudo certbot renew

This is in order not to hit the renew attempt limit that LE have per hour.

Hope that this helps! Regards, Alex