Solved: ACME challenge fails because CAA record is not found

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM


$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM


$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

The error “ACME challenge fails because CAA record is not found” typically occurs when the Certificate Authority Authorization (CAA) record for your domain is not configured or does not permit the Certificate Authority (CA) to issue a certificate for your domain. CAA records are DNS records that specify which CAs are allowed to issue certificates for a domain.

Here are steps to fix this issue:

Review DNS Configuration

Verify that your domain’s DNS configuration includes a CAA record. Use a DNS lookup tool or check your domain registrar’s control panel to inspect the current DNS records.

Add CAA Record if Missing

If your domain does not have a CAA record, consider adding one. The CAA record should include the details of the CA that you want to authorize for certificate issuance. Let’s Encrypt primarily uses the “CAA” (Certification Authority Authorization) record with the following values: CAA 0 issue ""

This CAA record allows Let’s Encrypt to issue certificates for the domain. However, it’s essential to check the latest documentation or Let’s Encrypt’s official website for any updates or changes to their CAA record configuration, as practices and configurations may evolve over time.

Update CAA Record

If you have a CAA record but it does not include the correct information or is restrictive, modify it accordingly. Ensure that the issue parameter allows the CA you are using (such as Let’s Encrypt). CAA 0 issue ""

Propagate DNS Changes

After adding or modifying the CAA record, DNS changes may take some time to propagate. Allow for DNS propagation before attempting to validate the ACME challenge again.

RECOMMENDED READING: How to check for DNS propagation using the Linux terminal

If the DNS propagation has not been completed, you’re likely to face difficulties with installing the Let’s Encrypt SSL certificate on your domain.

Retry ACME Challenge

The ACME (Automated Certificate Management Environment) challenge is a key component of Let’s Encrypt’s automated certificate issuance process. When you request a certificate from Let’s Encrypt, you typically need to prove that you have control over the domain for which you’re requesting the certificate. The ACME challenge is the mechanism through which this verification is done.

Once you’ve confirmed that the CAA record is correctly configured, retry the ACME challenge for certificate issuance. This may involve running your ACME client again or clicking a verification link, depending on the method you are using.

sudo certbot certonly --webroot -w /path/to/your/web/root -d -d

Replace /path/to/your/web/root with the actual path to your web server’s root directory, and replace and with your actual domain names.

This command instructs Certbot to use the webroot plugin (--webroot) and specifies the webroot path (-w). The -d flag is used to specify the domain names for which you want to obtain a certificate.

Debugging and Logs

The location of error logs associated with the ACME challenges and Let’s Encrypt certificate issuance depends on the web server or ACME client you are using. Here are some general guidelines for common web servers:


Error logs for Apache are typically found in the /var/log/apache2/ directory on Linux systems. Look for error log files such as error.log or ssl_error.log.


Nginx error logs are commonly located in the /var/log/nginx/ directory on Linux systems. Check files like error.log for ACME-related errors.

Certbot (Official Let’s Encrypt Client)

Certbot, the official Let’s Encrypt client, may log ACME-related issues to the syslog or to specific log files.

Common locations include :




Custom ACME Clients

If you are using a custom ACME client, check the documentation or configuration of that specific client to determine where it logs errors.

Log locations can vary, and some clients allow you to specify the log file location in the configuration.

Operating System Log

In some cases, errors related to ACME challenges may be logged in the system logs, such as:




It’s essential to review the documentation of the specific tools and software you are using, as they might provide guidance on where to find logs and how to troubleshoot issues. Additionally, when encountering problems with Let’s Encrypt certificate issuance, checking the output of the ACME client command you used (such as Certbot) can provide valuable information about any encountered errors or challenges during the certificate request process.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.