403 urn:acme:error:unauthorized: Error creating new cert :: Rechecking CAA: Got DNAME when looking up CNAME. DNAMEs not supported


#1

We’re trying to issue a cert but are getting this DNAMEs not supported error. There doesn’t appear to be any way of figuring out which domain is causing the problem, could someone please help diagnose which one is failing?

www.tumbleweed.com
www.dioceseny.org
youth1.com
algomau.ca
www.imaginationtakesshape.com
dev.snia.org
www.thebehaviorminder.com
www.posta.com
www.customerexperiencenetwork.net
dev.the86co.com
dev.tequilacabeza.com
crewhq.me
globalbeautymasters.com
dev.fordsgin.com
www.dev.shelterluv.com
www.blogs.axway.com
store.bfi.org
test.mcdpartners.com
stage-vodafone.mysmallbusiness.com.au
tapanalytics.com
www.nnip.us
www.episcopaldioceseny.org
www.genuinecable.com
ville.mont-royal.qc.ca
www.globalbeautymasters.com
www.marketingmessages.com
test.ucsfdentalcenter.org
vote4energy.com
wtfistrumpdoingnow.com
www.validationauthority.org
www.crewhq.me
www.axwaywebinars.com
www.istillserve.com
virtualgurus.com
www.cyclonecommerce.com
www.systar.com
www.axwaysecurity.net
test.sgia.org
dev.canabravarum.com
live.shelterluv.com
crewhq.co
testsite.spscommerce.com
new.earley.com
www.imaginationtakesshape.org
staging.dasmagazin.ch
earley.com
dev.shelterluv.com
www.axwayfederal.com
www.customerexperiencenetwork.org
www.validation-authority.com
town.mount-royal.qc.ca
challenge.bfi.org
mcdpartners.com
www.systar.fr
snia.org
nnip.us
www.benelux.axway.com
shelterluv.com
www.youth1.com
www.career.axway.com
www.bfi.org
www.sassafrasco.com
www.vordel.com
honestyoscars.org
dev.govdelivery.com
bfi.org
garment.sgia.org
www.sgia.org
www.imaginationtakesshape.net
www.vote4energy.com
www.episcopalny.org
www.virtualgurus.com
www.honestyoscars.org
www.tsim.axway.de
www.customerexperiencenetwork.com
thebehaviorminder.com
nmg-live.ndpclient.com
sgia.org
testlabs.openviewpartners.com
nomoregrapes.org
sassafrasco.com
www.axwaysecurity.com
sgt.sergeant.agency
www.crewhq.co
edit.episcopaldioceseny.org
www.town.mount-royal.qc.ca
www.tapanalytics.com
www.operational-intelligence.axway.com
2017.tcdrupal.org
5659118702428160-fe2.pantheonsite.io
istillserve.com
www.ville.mont-royal.qc.ca
www.corvigo.com
challenge-old.bfi.org
www.validation-authority.net
www.shelterluv.com
dev.aylesburyduckvodka.com
www.snia.org
ideaindex.bfi.org
challenge-old.bfi-internal.org
www.wtfistrumpdoingnow.com


#2

If the error message doesn’t say, there isn’t a convenient way to know. Check that your ACME client is displaying the full error message. Its logs may contain more information.

In any case, i tried a quick for loop, and the only problematic name seems to be www.axwaywebinars.com. But i didn’t check parent domains, so i could have missed something.

$ dig www.axwaywebinars.com caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.axwaywebinars.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31677
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.axwaywebinars.com.             IN      CAA

;; ANSWER SECTION:
axwaywebinars.com.  86296   IN      DNAME   axway.com.
www.axwaywebinars.com.      86296   IN      CNAME   www.axway.com.
www.axway.com.              3496    IN      CNAME   axway.com.

;; AUTHORITY SECTION:
axway.com.          793     IN      SOA     ns1.axway.net. hostmaster.axway.com. 608 900 900 3600 900

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Sep 21 15:44:56 UTC 2017
;; MSG SIZE  rcvd: 171

Edit:

You ought to be able to solve this by adding a quick (though redundant) record, “www.axwaywebinars.com. CNAME www.axway.com.”. Or by entirely ceasing to use DNAME. It’s pretty obscure, but that would be less convenient.


#4

Unfortunately we aren’t including it in the error so indeed, there is no convenient way to know. Apologies.

I have the issue in my bucket for this week’s sprint.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.