Certify has been a great tool for setting up free ssl, and is especially nice if you have a lot of sites- for both cost savings and the ability to auto-update certs. I use a windows based tool called Certify The Web to automate this and it’s worked great for a long while.
I started having errors recently with the tool though- along the lines of “DNS problem: SERVFAIL looking up CAA for ” followed by the specific domain name. This took a little head scratching, but apparently the problem comes from a new CAA record that DNS servers can (should?) support- it’s a record that allows you to list which certificate authorities are trusted for the particular domain.
Many/most Dns servers didn’t support this record a while back, and certify would eat the “error” message received when querying for it. But this recently changed and certify now requires that the CAA record be supported- even if it’s empty. So, error messages are no longer allowed, but empty ones are fine.
I use the DNS servers at my domain registrar for a lot of domains, and apparently the server has not been updated to support this record- so I suddenly began to get this error on my sites. I use AWS DNS for higher profile sites, and it seems to work fine.
In case you run into this with your servers, you’ll need to get in touch with your DNS provider and ask them to update it so it supports this new(er) record.