Letsencrypt certbot works but renewal doesn't

Question

I've got a server which had an expired letsenrypt certificate. To fix that, I simply ran certbot --apache which ran without problems and solved the expired certificate.

To prevent this problem in the future, I wanted to have the certificate automatically renew itself, so following the instructions here I ran certbot renew --dry-run , but that ends in an error:

Attempting to renew cert from /etc/letsencrypt/renewal/cms.ourdomain.com.conf produced an unexpected error: Failed authorization procedure. cms.ourdomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for cms.ourdomain.com. Skipping.

Since certbot --apache worked perfectly well I wouldn't know why this renewal would fail with a DNS problem. To be sure I ran certbot --apache again to force and renew the cert again, which again worked fine. So nothing seems to be wrong with the DNS.

Does anybody know what could be the cause of this problem or how I can debug this? All tips are welcome!

Answer 1

From what I have seen, certbot and certbot --apache actually take some significantly different code paths. Perhaps try certbot --apache --dryrun ?

Incidentally, I have given up on the Apache specific implementation. I have found that stopping apache and running certbot certonly --standalone -d example.com does a good job of generating keys and certs (point to them manually in your apache config) and then certbot renew with pre and post hook scripts in /etc/letsencrypt/renewal-hooks/{pre|post}/apache2.sh to stop and start apache works really well.

My scripts look like:

#!/bin/bash

# certbot pre renewal
# stop apache

systemctl stop apache2
sleep 5s

#!/bin/bash

# certbot post renewal
# start apache

systemctl start apache2