ACME challenge fails because CAA record is not found

Starting from ~13 hours ago we can't issue certificates agains LE staging. We get the following error from cert-manager:
Error accepting authorization: acme: authorization error for some.domain:
400 urn:ietf:params:acme:error:dns: DNS problem: NXDOMAIN looking up CAA for
some.domain - check that a DNS record exists
for this domain'

We never had CAA record and AFAIK it's optional.
Can you assist?

2 Likes

Try:
Let's Debug (letsdebug.net)

3 Likes

+1. Facing the same issue for ~12 hours

+1, we are also facing the same issue

I wonder if something went wrong with this change, which was deployed to staging a bit less than a day ago. I think it will probably get rolled back or fixed soon!

I tried to reproduce the issue myself but couldn't. :person_shrugging:

Edit: I think @petercooperjr found the root cause here.

9 Likes

There were changes made to staging on ~2023-05-23T18:00:00Z that do involve serverside DNS changes, so chances are that something is currently wrong with staging. Production is currently running an older build.

(@_az beat me by a second :grinning:)

6 Likes

Thank you for the heads up. We are investigating.

7 Likes

See bdns: fix handling of NXDOMAIN by jsha · Pull Request #6916 · letsencrypt/boulder · GitHub (which should fix this issue) and the linked PR (which caused the issue).

7 Likes

We have merged the fix that Osiris linked above, and tagged a hotfix release which includes that fix. It should go to Staging soonish, and the current version which is exhibiting this broken behavior in Staging will not go to Prod.

11 Likes

The hotfix to staging went out about an hour ago. Seems like the errors have died down in our logs.

12 Likes