Hi,
I’m having a problem renewing a certificate, certbot is saying that the CAA record prevents issuance but I can’t find any CAA record preventing the issuance, and after much research, I’m not sure how to further investigate the problem.
My domain is: kitmarianne.modernisation.gouv.fr
My web server is (include version): Nginx 1.12.1 + Tomcat 8.5.35
The operating system my web server runs on is (include version): CentOS 7
My hosting provider, if applicable, is: Cloudwatt
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
I ran this command: sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/kitmarianne.modernisation.gouv.fr.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kitmarianne.modernisation.gouv.fr
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/prod/tomcat/webapps/app/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/kitmarianne.modernisation.gouv.fr.conf produced an unexpected error: Failed authorization procedure. kitmarianne.modernisation.gouv.fr (http-01): urn:acme:error:caa :: CAA record for kitmarianne.modernisation.gouv.fr prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kitmarianne.modernisation.gouv.fr/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: kitmarianne.modernisation.gouv.fr
Type: None
Detail: CAA record for kitmarianne.modernisation.gouv.fr prevents
issuance
I ran this command: https://sslmate.com/caa/
It produced this output:
kitmarianne.modernisation.gouv.fr does not have a CAA policy. Any certificate authority can issue certificates.
I ran this command: dig www.kitmarianne.modernisation.gouv.fr CAA
It produced this output:
; <<>> DiG 9.10.6 <<>> www.kitmarianne.modernisation.gouv.fr CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.kitmarianne.modernisation.gouv.fr. IN CAA
;; AUTHORITY SECTION:
modernisation.gouv.fr. 1800 IN SOA dns1.finances.gouv.fr. dnsmaster.finances.gouv.fr. 174 1200 300 1209600 3600
;; Query time: 51 msec
;; SERVER: 2a01:e00::1#53(2a01:e00::1)
;; WHEN: Fri Jan 04 16:11:25 CET 2019
;; MSG SIZE rcvd: 126