Absent CAA Record preventing issuance


#1

Hi,

I’m having a problem renewing a certificate, certbot is saying that the CAA record prevents issuance but I can’t find any CAA record preventing the issuance, and after much research, I’m not sure how to further investigate the problem.


My domain is: kitmarianne.modernisation.gouv.fr

My web server is (include version): Nginx 1.12.1 + Tomcat 8.5.35

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Cloudwatt

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/kitmarianne.modernisation.gouv.fr.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kitmarianne.modernisation.gouv.fr
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/prod/tomcat/webapps/app/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/kitmarianne.modernisation.gouv.fr.conf produced an unexpected error: Failed authorization procedure. kitmarianne.modernisation.gouv.fr (http-01): urn:acme:error:caa :: CAA record for kitmarianne.modernisation.gouv.fr prevents issuance. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/kitmarianne.modernisation.gouv.fr/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: kitmarianne.modernisation.gouv.fr
   Type:   None
   Detail: CAA record for kitmarianne.modernisation.gouv.fr prevents
   issuance

I ran this command: https://sslmate.com/caa/

It produced this output:

kitmarianne.modernisation.gouv.fr does not have a CAA policy.  Any certificate authority can issue certificates.

I ran this command: dig www.kitmarianne.modernisation.gouv.fr CAA

It produced this output:

; <<>> DiG 9.10.6 <<>> www.kitmarianne.modernisation.gouv.fr CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.kitmarianne.modernisation.gouv.fr. IN CAA

;; AUTHORITY SECTION:
modernisation.gouv.fr.	1800	IN	SOA	dns1.finances.gouv.fr. dnsmaster.finances.gouv.fr. 174 1200 300 1209600 3600

;; Query time: 51 msec
;; SERVER: 2a01:e00::1#53(2a01:e00::1)
;; WHEN: Fri Jan 04 16:11:25 CET 2019
;; MSG SIZE  rcvd: 126

#2

Hi @Campano

The CAA checking process performed by CAs follows a tree climbing algorithm, see “Where to put the record” in our CAA docs.

Checking labels above www.kitmarianne. shows the problematic CAA record that is blocking issuance:

$> dig +short -t CAA modernisation.gouv.fr
0 issue "certigna.com"

You can either have the administrator of this DNS zone update the CAA records to also bless Let’s Encrypt or you can override this with your own CAA record blessing Let’s Encrypt for kitmarianne or www.kitmarianne

Hope that helps!


#3

I don’t have control over the domain name, just over the server, so I’m not sure it’s possible.

Thank you very much for your quick answer :slightly_smiling_face:


#4

Unfortunately in this case you’ll need someone with control over the domain name to make an adjustment to proceed. :frowning:

Happy to help! Bonne année !


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.