ACME challenge fails because CAA record is not found - February 8, 2024

My domain is: gtr.certsbridge.com

Hi. I see an increased number of errors:
400 urn:ietf:params:acme:error:dns: DNS problem: networking error looking up CAA for ...

For the gtr.certsbridge.com domain I have a prober configured that issues the certificate from Let's Encrypt few times a day. There have been no problems for this domain so far.

I see that other domains for which my team issue certificates also return code 400. It seems to me that this problem is not limited to my domain only.

The graph shows that the number of errors increased on February 8 at 2:00 PM PST time for all my domains.

Hi, we will investigate. Thank you for providing the data.

4 Likes

A little bit offtopic perhaps, but isn't this a little bit wasteful? What's the purpose of generating that much certificates?

1 Like

We have many external customers and many certificates. We want to know when Let's Encrypt is down and which functionalities do not work (sometimes it is only one type, e.g. TLS-ALPN).

In this case there is an increased number of error 400 urn:ietf:params:acme:error:dns.

I would estimate the error ratio at the level of 40%-50% in the last few days. Let's Encrypt works, but sometimes we have to try it several times to get a cert. This may be a problem with multi SAN certificates.

We also have probers and tests for pki.goog CA for the same domain. I don't see any problems getting a certificate from this CA, so I think it's a problem on Let's Encrypt's side.

2 Likes

Our metrics indicate that the number of failures here has gone down again, returning to normal over the weekend. Do you see the same on your end?

3 Likes

The problem no longer occurs.


I consider the topic closed.

It would be nice to know why this happened.
On our end, we tried to check and we didn't seem to have any problems with our DNS servers and the CAA record was always visible.

3 Likes

We are still investigating the root cause. It does appear to have been some sort of problem with our DNS resolvers, but we haven’t pinpointed the problem yet.

5 Likes

"SuperBowl" pre-game jitters!

1 Like

Have you done something effectively, or the problem just ameliorated on his own?

3 Likes

We aren’t yet aware of anything we did to either cause or to fix the problem.

5 Likes

Our team has an on-going issue with this same validation error against the gsa.gov domain space. We haven't been able to reissue certs for last few weeks. The only additional items I can provide is that we have full DNSSEC in place and not errors present in different validators.

Your issue may be something different if it's an "on-going issue"; since this was about intermittent timeouts. You should probably open a new topic in the Help category and fill out the template, with the information on your domain name and exact error messages, and someone can probably help you. (It might be the same thing, but it might not.)

3 Likes