Let’s Encrypt: SSL and the “SERVFAIL looking up CAA for domain.com” error

One of mine website stopped working with the “Connection reset” error.

NGINX configs seem to be correct, and other sites on the same server are working.

NGINX also gave nothing, no errors, PHP-FPM also are good.

Let’s check the website with the curl:

The cause

Because the error above are reported from the SSL_connect call, then the first thing to check was the website's certificate, although if it was expired, then the error must be different.

Still, go to try to renew the certificate:

But why the error appears from the top-level domain — setevoy.org.ua? And why Let’s Encrypt checking the CAA record? Previously, everything was working without it.

Anyway, let’s go to check the DNS of the domain — find them:

Check, if a server returns an answer:

All is good here.

Go to the Google, and find a discussion тут>>>, and this topic from Namecheap.

Go to check if I have CAA on the root domain:

Um… But Google has it:

And rtfm.co.ua, by the way, also hasn’t it, and everything is working here (yet). Maybe, it will break on the next renew, will see.

The solution

Go to the Route53, add a new record:

Choose its type as CAA, set its value as 0 issue "letsencrypt.org" to allow issuing SSL certificates from Let's Encrypt:

Check, if DNS were updated:

Try to run certbot renew again:




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store