Acme:error:caa :: CAA record for ... prevents issuance

Hello everyone,
renewal of my certificate stopped working (see below).
I am afraid i am no network guru and after reading serveral threads i still don't know what to do.
The certificate is for my self-hosted server, i have a static IP-Adress from my internet provider.
Thanks in advance

[root@b2b-130-180-72-186 ]# dig caa unitymedia.biz @8.8.8.8

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> caa unitymedia.biz @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58737
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;unitymedia.biz. IN CAA

;; ANSWER SECTION:
unitymedia.biz. 21599 IN CAA 0 iodef "mailto:pki@libertyglobal.com"
unitymedia.biz. 21599 IN CAA 0 issuewild ";"
unitymedia.biz. 21599 IN CAA 0 issue "globalsign.com"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: b2b-130-180-72-186.unitymedia.biz

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/b2b-130-180-72-186.unitymedia.biz.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for b2b-130-180-72-186.unitymedia.biz
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (b2b-130-180-72-186.unitymedia.biz) from /etc/letsencrypt/renewal/b2b-130-180-72-186.unitymedia.biz.conf produced an unexpected error: Failed authorization procedure. b2b-130-180-72-186.unitymedia.biz (tls-sni-01): urn:ietf:params:acme:error:caa :: CAA record for b2b-130-180-72-186.unitymedia.biz prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/b2b-130-180-72-186.unitymedia.biz/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/b2b-130-180-72-186.unitymedia.biz/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: b2b-130-180-72-186.unitymedia.biz
    Type: None
    Detail: CAA record for b2b-130-180-72-186.unitymedia.biz prevents
    issuance

My web server is (include version): Apache

The operating system my web server runs on is (include version): Centos7

My hosting provider, if applicable, is: self hosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @Trench23,

It looks like the libertyglobal.com domain sets CAA records that indicate only GlobalSign is allowed to issue certificates for this domain. Let's Encrypt sees those CAA records and refuses to issue for the domain.

If you want to use a Let's Encrypt certificate you will have to update your CAA records. I recommend using SSLMate's CAA Record Generator. You'll need to add a record like:
unitymedia.biz. IN CAA 0 issue "letsencrypt.org".

Our CAA documentation page might help explain more.

Good luck!

2 Likes

This is a typo and should say CAA instead of CAAA.

2 Likes

Oops! Good catch @schoen. I edited my post to fix that.

1 Like

It looks like the CAA records are set by the ISP, so the topicstarter won’t be able to change that… A new form of vendor lock-in? :persevere:

1 Like

I don't think that a provider wants, that customers creates certificates using such internal names. Perhaps a customer doesn't have a static address, then he shouldn't be able to create a certificate with such a domain name.

2 Likes

Thank you for your answers!!!
It was not what i hoped but what i’ve feared :wink:

You can always get a free (sub)domain from for example FreeNom. Or a subdomain from a dynamic DNS provider (assuming you've got a dynamic IP address). Just make sure that if you get a subdomain, the parent domain name is on the public suffix list. So you won't get any rate limit issues when you're getting a certificate. E.g., DuckDNS.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.