All azure.com - subdomains are blocked creating Letsencrypt-certificates - Urn:ietf:params:acme:error.caa. Upd 15:30 Microsoft has removed all CAA

Hi,
i’m having issues creating a certificate for an azure virtual machine using the Win-Acme-client (wacs). I’m using wacs in unattended mode and this worked for different vms (with different hostnames) till this morning.

Domain:
rd-2018960013-hsdss-dev-jb.westeurope.cloudapp.azure.com

I ran this command:
wacs.exe
2.1.8.838 (release, pluggable)
I tried using wacs.exe in unattended and the normal cli-mode. The results are the same.

It produced this output:

Authorize identifier: rd-2018960013-hsdss-dev-jb.westeurope.cloudapp.azure.com 
Authorizing rd-2018960013-hsdss-dev-jb.westeurope.cloudapp.azure.com using http-01 validation (SelfHosting)
{
    "type":"urn:ietf:params:acme:error.caa",
    "detail": "CAA record for rd-2018960013-hsdss-dev-jb.westeurope.cloudapp.azure.com prevents issuance",
    "status": 403
}
Authorization result: invalid

My web server is (include version): -

The operating system my web server runs on is (include version):
Windows 10 1909

My hosting provider, if applicable, is:
Microsoft Azure

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
wacs.exe 2.1.8.838

Thank you for hour help!

4 Likes

Hi @jonben

you can’t create a certificate with that domain name. See your check - https://check-your-website.server-daten.de/?q=rd-2018960013-hsdss-dev-jb.westeurope.cloudapp.azure.com#caa

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
rd-2018960013-hsdss-dev-jb.westeurope.cloudapp.azure.com 0 no CAA entry found 1 0
westeurope.cloudapp.azure.com 0 no CAA entry found 1 0
cloudapp.azure.com 0 no CAA entry found 1 0
azure.com 5 issue digicert.com 1 0
5 issue entrust.com 1 0
5 issue globalsign.com 1 0
com 0 no CAA entry found 1 0

Only digicert, entrust and globalsign are allowed to create certificates with azure.com.

You may add an own CAA entry with your complete domain name. But that may be impossible.

3 Likes

Hi,

We have a similar issue with our domain which was working previously. This used to work previously.

xyz.australiaeast.cloudapp.azure.com

Now our certificates are not renewing or not able to create a new one. We are getting CAA record for xyz.australiaeast.cloudapp.azure.com prevents issuance

Is this expected or can we define a CAA record at the “xyz.australiaeast.cloudapp.azure.com” with letsencrypt to allow this. ?

Thanks,
Alex

2 Likes

Hi @JuergenAuer

Thank you for your response.
This seems strange, the same certificate creation process worked yesterday.

Just for my unterstanding: This is something i can’t do anything about, because Microsoft set these CAA records for azure.com?
I think it isn’t possible for me to set CAA entries for the complete domain name.

3 Likes

If Microsoft has changed the CAA entries yesterday / today, now it doesn’t work. That’s how CAA RR defined.

CAAs are checked hierarchical. Longest -> shortest.

An existing CAA stops that.

So if you can’t create a CAA with the long domain name, the CAA entry of azure.com blocks.

3 Likes

The same with *.westeurope.cloudapp.azure.com. Our one AKS cluster is working using certificate issued by Let`s Encrypt 3 days ago. But another one, created few hours ago, can’t get one. Didn’t find any announcement from Microsoft about coming changes…

2 Likes

I’ve edited the topic title.

There are a lot of users with the same problem.

3 Likes

That’s expected.

A blocking CAA on azure.com blocks all subdomains.

3 Likes

I have posted a question to MS about this today, lets see if we can get anything out of them, this has come at a really bad time for us we really need this to be working for our deployments.
MS Link

3 Likes

I see a referer in “check-your-website” - from a servicedesk - microsoft site. To one of these azure subdomain checks.

Looks like Microsoft checks that.

2 Likes

Oh - I see: Microsoft has removed all CAA entries.

A check, some minutes old - https://check-your-website.server-daten.de/?q=qa-helloflex.westeurope.cloudapp.azure.com#caa

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
qa-helloflex.westeurope.cloudapp.azure.com 0 no CAA entry found 1 0
westeurope.cloudapp.azure.com 0 no CAA entry found 1 0
cloudapp.azure.com 0 no CAA entry found 1 0
azure.com 0 no CAA entry found 1 0
com 0 no CAA entry found 1 0

No CAA entry defined.

So creating Letsencrypt certificates should work.

6 Likes

Works like a charm now, thanks for checking this out for me!

3 Likes

Question: How do you guys pass the verification when we don’t have access to the DNS of azure.com

1 Like

Microsoft has removed the blocking CAA entries.

1 Like

A post was split to a new topic: TXT requirements