Configure DNS A records for ACME HTTP-01 challenges. Propagation timing, TTL settings, load balancer considerations, and multi-server validation setup. Here you’ll find practical guidance on getting A records right so HTTP-01 validation succeeds and certificate automation stays reliable.
A Record Configuration Guide
TL;DR: DNS A records map domain names to IPv4 addresses, forming the foundation of DNS-based routing that ACME HTTP-01 challenges depend on. Misconfigured A records are the leading cause of ACME HTTP-01 validation failures, causing certificates to fail issuance when the ACME CA cannot reach the correct server for challenge verification.
Need help with ACME? Try the Axelspire ACME support chatbot for implementation and troubleshooting.
Overview: Why A Records Matter for ACME Operations
A records represent the most fundamental DNS record type—they tell the internet "when someone requests example.com, send them to IP address 192.0.2.1." While conceptually simple, A record configuration directly determines whether ACME HTTP-01 challenges succeed or fail. When Let's Encrypt validates your domain ownership, it queries DNS for your domain's A record, then connects to that IP address expecting to find the HTTP-01 challenge response.
The ACME dependency: HTTP-01 challenge validation follows this sequence:
1. Your ACME client requests a certificate for example.com
2. Let's Encrypt CA looks up example.com A record via DNS
3. CA connects to the IP address from step 2
4. CA requests http://example.com/.well-known/acme-challenge/<token>
5. Your server must respond with the correct validation token
If your A record points to the wrong server, Let's Encrypt connects to a different machine that doesn't have the validation token—certificate issuance fails. This fundamental misconfiguration accounts for approximately 40% of ACME HTTP-01 validation failures in production environments.
Why This Belongs in ACME Client Operations
While A records are DNS fundamentals, this guide focuses on ACME operational context—the specific A record configurations that enable or break certificate automation. Understanding DNS isn't enough; you need to understand how ACME CAs use A records during validation, how CDNs and load balancers complicate A record configuration, and how to debug A record issues that manifest as ACME failures.
Real-world ACME scenario: Your organization uses Cloudflare as a CDN proxy. You configure an A record pointing to Cloudflare's proxy IP (104.16.x.x). You run Certbot on your origin server (192.0.2.1). HTTP-01 validation fails because Let's Encrypt connects to Cloudflare, not your origin server. The validation token exists on your origin but is unreachable through the proxy.
When A Records Matter for ACME
A records are critical for:
- HTTP-01 challenges: CA must reach your server via A record resolution
- Root domain certificates:
example.com(apex domain) requires A record (CNAME not allowed) - Multi-server environments: Ensuring validation happens on the certificate server
- Load balancer configurations: Routing ACME validation to appropriate backends
- Debugging certificate failures: 60% of HTTP-01 failures involve DNS misconfiguration
A records are NOT required for:
- DNS-01 challenges: Validation uses TXT records, not A records (though A records may still exist)
- Wildcard certificates: DNS-01 is required; A records irrelevant to validation
- Internal certificates: Private ACME servers may not require public DNS resolution
Related Documentation
This page is part of the Operating ACME Clients section:
- Operating ACME Clients Overview - Section introduction and navigation
- X.509 Certificate Verification - Certificate validation post-issuance
- Certbot Renewal Automation - Renewal patterns assuming proper DNS
- DNS-01 Challenge Validation - Alternative to HTTP-01 (bypasses A record issues)
- A Record Configuration (this page) - DNS foundations for HTTP-01
- HTTP-01 Challenge Validation (coming) - Detailed HTTP-01 implementation requiring proper A records
For broader DNS and infrastructure context:
- Multi-Cloud PKI - DNS across cloud providers
- Certificate Lifecycle Management - Lifecycle operations
For troubleshooting:
- Common Misconfigurations - Including DNS issues
- Chain Validation Errors - Post-issuance problems
For protocol understanding:
- ACME Protocol - HTTP-01 challenge specification
Problem Statement
Organizations frequently encounter A record misconfigurations that result in ACME HTTP-01 validation failures:
- Broken domain resolution: A records point to incorrect IP addresses, ACME CA cannot reach validation endpoint
- SSL certificate validation failures: Let's Encrypt HTTP-01 challenge fails when A record points to CDN/proxy instead of origin server
- Service disruptions: Multiple conflicting A records cause inconsistent DNS resolution, intermittent ACME failures
- Root domain accessibility issues: Only www subdomain configured, root domain certificate requests fail
- Traffic routing errors: A records point to load balancer VIP that doesn't route
/.well-known/acme-challenge/to certificate server - CDN proxy complications: A record points to CDN IP (Cloudflare, CloudFront) but ACME client runs on origin server
Common failure pattern:
ACME client log: "Timeout during connect (likely firewall problem)"
Reality: A record points to 104.16.132.229 (Cloudflare proxy)
Expected: A record should point to 192.0.2.1 (origin server with Certbot)
Architecture
A Record Structure (Standard DNS Format)
Field Definitions:
- name: Hostname (
@for root/apex domain,wwwfor subdomain) - TTL: Time-to-live in seconds (how long DNS resolvers cache this record)
- class: Always
IN(Internet) for modern DNS - type:
Afor IPv4 addresses (vsAAAAfor IPv6) - value: IPv4 address in dotted-decimal notation
Common A Record Patterns
Pattern 1: Root Domain Configuration
# Root/apex domain: example.com
@ 300 IN A 151.80.149.141
# Explanation:
# - @ symbol represents the apex/root domain
# - TTL 300 = 5 minutes cache time
# - Points to server at 151.80.149.141
Pattern 2: Complete Domain Setup (Root + WWW)
# Root domain: example.com
@ 300 IN A 192.0.2.1
# WWW subdomain: www.example.com
www 300 IN A 192.0.2.1
# Both point to same server (common pattern)
Pattern 3: Service-Specific Records
# Main website
@ 300 IN A 149.28.25.43
www 300 IN A 149.28.25.43
# API on separate server
api 300 IN A 149.28.25.44
# Streaming service on different infrastructure
stream 300 IN A 103.43.75.123
Pattern 4: Multi-Server with Load Balancing
# Multiple A records for round-robin DNS load balancing
www 300 IN A 192.0.2.1
www 300 IN A 192.0.2.2
www 300 IN A 192.0.2.3
# Warning: Complicates ACME HTTP-01 validation
# All servers must serve identical challenge responses
ACME HTTP-01 Validation Flow with A Records
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Client │ │ Let's │ │ DNS │
│ (Certbot) │ │ Encrypt │ │ Resolver │
└─────────────┘ └─────────────┘ └─────────────┘
│ │ │
│ 1. Request cert │ │
│──────────────────────▶│ │
│ │ │
│ 2. HTTP-01 challenge │ │
│◀──────────────────────│ │
│ │ │
│ │ 3. DNS query │
│ │───────────────────────▶│
│ │ │
│ │ 4. Return A record IP │
│ │◀───────────────────────│
│ │ │
│ │ 5. HTTP GET to IP │
│ │──────────────────┐ │
│ │ │ │
│ │ /.well-known/ │ │
│ │ acme-challenge│ │
│ │ │ │
┌──────▼──────┐ │ 6. Challenge │ │
│ Server │◀───────────────┴──response────────┘ │
│ (Must match │ │
│ A record) │ │
└─────────────┘
Critical Point: The server IP in step 6 MUST match the A record returned in step 4, or validation fails.
Provider-Specific Syntax
Different DNS providers use different syntax for A record configuration:
Standard Zone File Format (BIND)
NameSilo
Cloudflare Dashboard
Type: A
Name: @
IPv4 address: 192.0.2.1
TTL: Auto
Proxy status: DNS only (Orange cloud OFF for ACME validation)
Route53 (AWS)
Implementation
Basic Configuration
Root Domain Only
# Create A record for root domain
# DNS provider interface or API:
Name: @
Type: A
Value: 151.80.149.141
TTL: 300
Root + WWW (Recommended)
# Root domain
Name: @
Type: A
Value: 192.0.2.1
TTL: 300
# WWW subdomain
Name: www
Type: A
Value: 192.0.2.1
TTL: 300
ACME-Specific Configurations
Single Server HTTP-01 Setup
# Server IP: 209.200.39.244
# Certbot installed on this server
# DNS Configuration:
@ 300 IN A 209.200.39.244
www 300 IN A 209.200.39.244
# Verify resolution:
dig @8.8.8.8 example.com +short
# Should return: 209.200.39.244
Load Balancer Configuration
# Load balancer VIP: 192.0.2.100
# Backend servers: 192.0.2.1, 192.0.2.2, 192.0.2.3
# DNS Configuration (A record points to load balancer):
@ 300 IN A 192.0.2.100
www 300 IN A 192.0.2.100
# Load balancer must route /.well-known/acme-challenge/
# to server with Certbot (e.g., 192.0.2.1)
# HAProxy configuration example:
acl is_acme_challenge path_beg /.well-known/acme-challenge
use_backend certbot_server if is_acme_challenge
CDN/Proxy Bypass for ACME
# Problem: A record points to CDN proxy IP
# Solution: Temporarily set DNS only mode during validation
# Cloudflare: Disable orange cloud (proxy) during certificate issuance
# Or use DNS-01 challenge instead of HTTP-01
Advanced Patterns
Split DNS for Internal/External
# External DNS (public internet):
@ 300 IN A 203.0.113.10 # Public IP
# Internal DNS (corporate network):
@ 300 IN A 10.0.0.50 # Internal IP
# For ACME: Ensure external DNS points to server that can respond to HTTP-01
Multi-Region Failover
# Primary region
@ 300 IN A 192.0.2.1
# During failover, update to backup region:
@ 60 IN A 198.51.100.1 # Reduced TTL for faster propagation
# Note: Certificate must be present on both servers
Verification Commands
Basic DNS Query
# Query Google DNS
dig @8.8.8.8 example.com A
# Query Cloudflare DNS
dig @1.1.1.1 example.com A
# Query OpenDNS
dig @208.67.222.222 example.com A
# Check multiple regions
dig @8.8.8.8 example.com A +short
dig @1.1.1.1 example.com A +short
ACME Validation Simulation
# Simulate what Let's Encrypt sees
DOMAIN="example.com"
IP=$(dig +short $DOMAIN @8.8.8.8 | head -n1)
echo "Domain $DOMAIN resolves to $IP"
# Test HTTP connectivity to that IP
curl -v http://$IP/.well-known/acme-challenge/test \
-H "Host: $DOMAIN"
# Should be reachable for ACME validation to succeed
Comprehensive Validation Script
#!/bin/bash
DOMAIN="$1"
echo "=== A Record Validation for ACME ==="
echo "Domain: $DOMAIN"
echo ""
# Check A record from multiple DNS servers
echo "Checking A record resolution:"
for ns in 8.8.8.8 1.1.1.1 208.67.222.222; do
ip=$(dig +short "$DOMAIN" @$ns | grep -E '^[0-9]+\.' | head -n1)
echo " $ns → $ip"
done
# Get primary IP
PRIMARY_IP=$(dig +short "$DOMAIN" @8.8.8.8 | grep -E '^[0-9]+\.' | head -n1)
if [ -z "$PRIMARY_IP" ]; then
echo "ERROR: No A record found for $DOMAIN"
exit 1
fi
echo ""
echo "Primary IP: $PRIMARY_IP"
echo ""
# Test HTTP connectivity
echo "Testing HTTP connectivity:"
if curl -s -o /dev/null -w "%{http_code}" --max-time 5 \
"http://$PRIMARY_IP/.well-known/acme-challenge/test" \
-H "Host: $DOMAIN" | grep -q "404\|200"; then
echo " ✓ HTTP server reachable on $PRIMARY_IP"
else
echo " ✗ Cannot reach HTTP server on $PRIMARY_IP"
echo " This will cause ACME HTTP-01 validation to fail"
fi
Common Pitfalls
1. Incomplete Root Domain Configuration
Problem: Creating only www subdomain A record, missing root domain
# WRONG - Missing root domain
www 300 IN A 192.0.2.1
# Result: example.com doesn't resolve
# Impact: Cannot issue certificate for bare domain
Symptom:
$ dig example.com +short
# (no output - NXDOMAIN)
$ certbot certonly -d example.com
# Error: DNS query failed for example.com
Solution: Configure both root and www
# CORRECT
@ 300 IN A 192.0.2.1
www 300 IN A 192.0.2.1
# Verify both resolve:
$ dig example.com +short
192.0.2.1
$ dig www.example.com +short
192.0.2.1
2. Wrong IP Address Mapping
Problem: A record points to registrar's parking server or old IP
# WRONG - Points to registrar parking page
@ 300 IN A 195.20.52.215 # Registrar's server
# Impact: Let's Encrypt connects to registrar server,
# validation token doesn't exist there, validation fails
Symptoms:
$ curl http://example.com/.well-known/acme-challenge/test
# Returns registrar parking page HTML
$ certbot certonly --nginx -d example.com
# Error: The client lacks sufficient authorization
Solution: Update to actual server IP
# CORRECT - Points to your server where Certbot runs
@ 300 IN A 209.200.39.244
# Verify correct server responds:
$ curl -I http://209.200.39.244
# Should return headers from YOUR server
3. CDN/Proxy IP Configuration
Problem: A record points to CDN proxy IP while Certbot runs on origin
# WRONG for HTTP-01 validation
@ 300 IN A 104.16.132.229 # Cloudflare proxy IP
# Your Certbot server: 192.0.2.1
# Let's Encrypt connects to 104.16.132.229 (Cloudflare)
# Validation token is on 192.0.2.1 (unreachable)
Symptoms:
$ certbot certonly --nginx -d example.com
# Error: Fetching http://example.com/.well-known/acme-challenge/...
# Connection timed out
Solutions:
Option A: Use DNS-01 instead of HTTP-01
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
-d example.com
Option B: Temporarily disable CDN proxy
# Cloudflare: Turn off orange cloud (set to "DNS only")
# Issue certificate
# Re-enable orange cloud after cert issued
Option C: Configure CDN to proxy ACME challenges to origin
# Cloudflare Page Rule:
# URL: *example.com/.well-known/acme-challenge/*
# Setting: SSL = Flexible, Cache Level = Bypass
4. Multiple Conflicting A Records
Problem: Multiple A records with different IPs cause round-robin
# WRONG - Unintentional multiple A records
@ 300 IN A 192.0.2.1 # Old server
@ 300 IN A 192.0.2.2 # New server
# DNS returns both IPs in random order
# Let's Encrypt may connect to old server without validation token
Symptoms:
Solution: Single A record per hostname
# CORRECT - Only one A record
@ 300 IN A 192.0.2.2 # Current server only
# Delete old A record from DNS
5. TTL Too High During Migration
Problem: Long TTL delays DNS propagation during server changes
# WRONG - High TTL during server migration
@ 86400 IN A 192.0.2.1 # TTL = 24 hours
# Change server IP to 192.0.2.2
# Some DNS resolvers still cache old IP for 24 hours
# ACME validation fails on old IP
Solution: Reduce TTL before migration
# Step 1: Reduce TTL (24 hours before migration)
@ 300 IN A 192.0.2.1 # TTL = 5 minutes
# Step 2: Wait 24 hours for old TTL to expire
# Step 3: Update IP address
@ 300 IN A 192.0.2.2 # New IP, short TTL
# Step 4: After stable, increase TTL again
@ 3600 IN A 192.0.2.2 # TTL = 1 hour
6. Load Balancer Without ACME Routing
Problem: A record points to load balancer, but LB doesn't route ACME challenges correctly
# A record configuration:
@ 300 IN A 192.0.2.100 # Load balancer VIP
# Backend servers: 192.0.2.1, 192.0.2.2, 192.0.2.3
# Certbot runs on 192.0.2.1 only
# LB routes requests round-robin
# 66% of validation attempts fail (go to wrong backend)
Solution: Configure LB to route ACME challenges to specific backend
# Nginx load balancer configuration
upstream backend {
server 192.0.2.1; # Certbot server
server 192.0.2.2;
server 192.0.2.3;
}
upstream certbot_backend {
server 192.0.2.1; # Only Certbot server
}
server {
listen 80;
server_name example.com;
# Route ACME challenges to Certbot server only
location /.well-known/acme-challenge/ {
proxy_pass http://certbot_backend;
}
# All other traffic load balanced
location / {
proxy_pass http://backend;
}
}
7. Internal/External DNS Mismatch
Problem: Internal DNS has different A record than external DNS
# External DNS (public internet):
@ 300 IN A 203.0.113.10 # Public IP
# Internal DNS (corporate network):
@ 300 IN A 10.0.0.50 # Internal IP
# Certbot runs on internal network, tests against internal DNS
# Let's Encrypt validates against external DNS
# Potential mismatch if both servers don't serve identical content
Solution: Ensure both IPs serve ACME challenges
# Option 1: Run Certbot on publicly accessible server (203.0.113.10)
# Option 2: Configure internal server to handle ACME challenges
# and sync certificates to internal server
# Option 3: Use DNS-01 challenge (bypasses HTTP entirely)
Best Practices
1. Single A Record per Hostname (Unless Load Balancing)
Principle: One hostname = one IP address for predictable routing
# GOOD - Single A record per hostname
@ 300 IN A 203.0.113.10
www 300 IN A 203.0.113.10
api 300 IN A 203.0.113.11
# AVOID - Multiple A records unless intentionally load balancing
@ 300 IN A 203.0.113.10
@ 300 IN A 203.0.113.20 # Only if both servers identical
Exception: Round-robin DNS for load balancing
# Acceptable when all servers serve identical content
www 300 IN A 192.0.2.1
www 300 IN A 192.0.2.2
www 300 IN A 192.0.2.3
# But ensure all servers can handle ACME challenges
2. Consistent IP Mapping Across Subdomains
Pattern: Related services on same server use same IP
# Production pattern - related services grouped
@ 300 IN A 203.0.113.10 # Main server
www 300 IN A 203.0.113.10 # Same server
blog 300 IN A 203.0.113.10 # Same server
api 300 IN A 203.0.113.11 # API server
api-v2 300 IN A 203.0.113.11 # Same API server
mail 300 IN A 203.0.113.12 # Mail server
smtp 300 IN A 203.0.113.12 # Same mail server
3. TTL Optimization for Different Scenarios
Production (Stable Services)
# Higher TTL reduces DNS query load, improves performance
@ 3600 IN A 203.0.113.10 # 1 hour
www 3600 IN A 203.0.113.10
Migration/Maintenance Window
# Lower TTL enables faster changes
@ 300 IN A 203.0.113.10 # 5 minutes
www 300 IN A 203.0.113.10
# After successful migration and stabilization, increase TTL
Development/Testing
ACME Certificate Issuance
# Moderate TTL during certificate operations
@ 300 IN A 203.0.113.10 # 5 minutes
# Allows quick DNS changes if validation issues discovered
4. Service Isolation and Purpose-Built IPs
Pattern: Separate IPs for different service types
# Web services cluster
@ 300 IN A 203.0.113.10
www 300 IN A 203.0.113.10
app 300 IN A 203.0.113.10
# API services cluster
api 300 IN A 203.0.113.20
api-v1 300 IN A 203.0.113.20
api-v2 300 IN A 203.0.113.21
# Infrastructure services
vpn 300 IN A 203.0.113.30
admin 300 IN A 203.0.113.31
Benefit for ACME: Clear separation of certificate management responsibilities
5. SSL Certificate Validation Considerations
Critical Rule: A record must point to server where ACME client runs (for HTTP-01)
# Server running Certbot: 192.0.2.1
# CORRECT - A record points to Certbot server
@ 300 IN A 192.0.2.1
# Certificate issuance will succeed
certbot certonly --nginx -d example.com
Multi-Server Strategy:
# Option 1: Centralized certificate server
# One server issues certificates, distributes to others
cert-mgmt 300 IN A 192.0.2.100 # Certificate management server
# Option 2: Direct issuance per server
web1 300 IN A 192.0.2.1 # Each server issues own cert
web2 300 IN A 192.0.2.2
web3 300 IN A 192.0.2.3
6. Monitoring and Validation
Pre-Deployment Validation
#!/bin/bash
# Validate A record before ACME operations
DOMAIN="$1"
echo "Validating A record for $DOMAIN"
# Check A record exists
IP=$(dig +short "$DOMAIN" @8.8.8.8 | head -n1)
if [ -z "$IP" ]; then
echo "ERROR: No A record found"
exit 1
fi
echo "A record: $DOMAIN → $IP"
# Check server responds on that IP
if timeout 5 curl -sf "http://$IP" -H "Host: $DOMAIN" > /dev/null; then
echo "✓ Server reachable at $IP"
else
echo "✗ Server not reachable at $IP"
echo "HTTP-01 validation will fail"
exit 1
fi
echo "✓ A record configuration valid for ACME"
Continuous Monitoring
# Monitor A record changes
dig example.com @8.8.8.8 | grep "^example.com" | \
mail -s "DNS A Record Check" monitoring@example.com
# Alert on unexpected changes
Post-Change Verification
# After updating A record, verify propagation
for ns in 8.8.8.8 1.1.1.1 208.67.222.222 8.8.4.4; do
echo -n "Checking $ns: "
dig +short example.com @$ns
done
7. Documentation and Inventory
Maintain DNS Inventory
# DNS A Record Inventory
## Production Web Services
- example.com → 203.0.113.10 (primary-web-01)
- www.example.com → 203.0.113.10 (primary-web-01)
- app.example.com → 203.0.113.10 (primary-web-01)
## API Services
- api.example.com → 203.0.113.20 (api-server-01)
- api-v2.example.com → 203.0.113.21 (api-server-02)
## Certificate Management
- Certbot installed on: primary-web-01 (203.0.113.10)
- Certificates managed: example.com, www.example.com, app.example.com
- Renewal: Automated via systemd timer
## Last Updated
- Date: 2026-01-24
- Changed by: ops-team
- Reason: New API server deployment
Change Management
# Document every A record change
Date: 2026-01-24
Domain: example.com
Old IP: 192.0.2.1
New IP: 203.0.113.10
Reason: Server migration
Impact: Requires certificate reissuance
Verified by: John Doe
8. Disaster Recovery Considerations
Backup DNS Configuration
# Export current DNS configuration
dig example.com ANY > dns-backup-example.com-$(date +%Y%m%d).txt
# Store A record configuration
cat > a-records-backup.txt << 'EOF'
@ 300 IN A 203.0.113.10
www 300 IN A 203.0.113.10
api 300 IN A 203.0.113.11
EOF
Failover Procedure
# 1. Reduce TTL (if not already low)
@ 60 IN A 203.0.113.10 # Primary
# 2. Update to backup IP during outage
@ 60 IN A 198.51.100.1 # Backup
# 3. Verify propagation
dig @8.8.8.8 example.com +short
# 4. Ensure certificates present on backup server
scp /etc/letsencrypt/live/example.com/* backup-server:/etc/ssl/
Operational Checklist
Before deploying ACME with HTTP-01 challenges:
- [ ] Configure A record for root domain (@)
- [ ] Configure A record for www subdomain
- [ ] Verify A records resolve correctly from multiple DNS servers (8.8.8.8, 1.1.1.1, 208.67.222.222)
- [ ] Ensure A record points to server where ACME client will run
- [ ] Test HTTP connectivity to resolved IP address
- [ ] Verify firewall allows HTTP (port 80) access from internet
- [ ] Check for CDN/proxy interference (disable or configure bypass)
- [ ] Confirm no conflicting A records exist
- [ ] Set appropriate TTL (300-600 seconds recommended)
- [ ] Document A record configuration in inventory
- [ ] Test ACME challenge path accessibility:
curl http://DOMAIN/.well-known/acme-challenge/test - [ ] Verify load balancer routes ACME challenges correctly (if applicable)
- [ ] Check internal/external DNS consistency (if split DNS)
- [ ] Establish monitoring for A record changes
- [ ] Document rollback procedures for DNS changes
- [ ] Create backup of DNS configuration
Related Documentation
ACME Operations:
- Operating ACME Clients Overview - Section navigation
- X.509 Certificate Verification - Certificate validation
- Certbot Renewal Automation - Renewal patterns
- DNS-01 Challenge Validation - Alternative to HTTP-01
- HTTP-01 Challenge Validation (coming) - Detailed HTTP-01 requiring proper A records
Broader Operations:
- Certificate Lifecycle Management - Complete lifecycle
- Renewal Automation - Automation strategies
Implementation:
- Multi-Cloud PKI - DNS across cloud providers
- ACME Protocol Implementation - Building ACME servers
Troubleshooting:
- Common Misconfigurations - Including DNS issues
- Expired Certificate Outages - Incident response
Protocol:
- ACME Protocol - HTTP-01 challenge specification
- TLS Protocol - TLS and certificates
This comprehensive guide ensures proper A record configuration for successful ACME HTTP-01 challenge validation, preventing the most common cause of certificate issuance failures in production environments.