Registering certificate for domain.com including several subdomains. Except for one sub-subdomain, all domains, subdomains and sub-subdomains are added to the certificate.
Only error that keeps coming back is for domain test.www.domain.com
domain.com -> works
www.domain.com -> works
test.xyz.domain.com -> works
test.www.domain.com -> does not work
A webpage is running on the domain http://test.www.domain.com and perfectly reachable on Port 80. Also pinging to this specific URL provides a correct response.
Hence, my question is there a way to add the full-domain test.www.domain.com to the certificate, or is this test.www somehow an invalid URL?
Detailed Error Message from Certbot:
Failed authorization procedure. test.www.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for test.www.domain.com
That has become a well known issue recently. As the error message states, there is a misconfiguration on DNS side:
DNS problem: SERVFAIL looking up CAA for test.www.domain.com
CAA (Certification Authority Authorization) record is intended to allow domain name owner to define which certificate authorities can issue certificates for this particular domain name. It is relatively new type of DNS record, and some DNS providers still failing to implement it properly, however it is mandatory for publicly trusted certificate authorities to support CAA.
The issue will not occur if CAA record is properly implemented, or not implemented at all.
But when DNS lookup for CAA record returns SERVFAIL status, Let's Encrypt will refuse to validate the domain name.
Here is the corresponding announcement from Let's Encrypt:
When originally implementing CAA, we ran into a number of issues with various DNS providers not properly supporting queries for this record type. Because of this we implemented a soft-fail behavior when DNS servers return the SERVFAIL error code to CAA queries instead of the expected NOERRROR code.
Over the last year and a half, we’ve worked with a number of these providers to move towards spec compliance, but there are still a few misconfigured providers. However, we are moving towards strict enforcement of CAA, where SERVFAIL responses will block issuance. This is also in line with upcoming industry requirements: all CAs will soon be required to check CAA by the CA/Browser Forum Baseline Requirements.