An unexpected error occurred: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for <my domain> and 1 more identifiers failed. Refer to sub-problems

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I want to re-install ssl certs.

My domain is: priv.bcollaborator.com

I ran this command:
/usr/bin/certbot -v certonly -d priv.bcollaborator.com -d *.priv.bcollaborator.com --server https://acme-v02.api.letsencrypt.org/directory --manual --agree-tos --no-eff-email --manual-public-ip-logging-ok --preferred-challenges dns-01

It produced this output:

2022/01/13 05:17:00.609998 tool_linux.go:68: DEBUG: re-exec not supported on distro "ol" yet

2022/01/13 05:17:00.626302 tracking.go:45: DEBUG: creating transient scope snap.certbot.certbot

2022/01/13 05:17:00.626371 tracking.go:188: DEBUG: session bus is not available: cannot find session bus

2022/01/13 05:17:00.626405 tracking.go:190: DEBUG: falling back to system bus

2022/01/13 05:17:00.628328 tracking.go:195: DEBUG: using system bus now, session bus was not available

2022/01/13 05:17:00.634316 tracking.go:317: DEBUG: created transient scope as object: /org/freedesktop/systemd1/job/333512

2022/01/13 05:17:00.634441 tracking.go:145: DEBUG: waited 72.213µs for tracking

DEBUG: umask reset, old umask was 022

DEBUG: security tag: snap.certbot.certbot

DEBUG: executable: /usr/libexec/snapd/snap-exec

DEBUG: confinement: classic

DEBUG: base snap: core20

DEBUG: ruid: 0, euid: 0, suid: 0

DEBUG: rgid: 0, egid: 0, sgid: 0

DEBUG: preparing classic execution environment

DEBUG: set_effective_identity uid:0 (change: yes), gid:0 (change: yes)

DEBUG: creating user data directory: /root/snap/certbot/1670

DEBUG: current SELinux process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

DEBUG: ruid: 0, euid: 0, suid: 0

DEBUG: loading bpf program for security tag snap.certbot.certbot

DEBUG: read 14 bytes from /var/lib/snapd/seccomp/bpf//snap.certbot.certbot.bin

DEBUG: execv(/usr/libexec/snapd/snap-exec, /usr/libexec/snapd/snap-exec...)

DEBUG: argv[1] = certbot

DEBUG: argv[2] = -v

DEBUG: argv[3] = certonly

DEBUG: argv[4] = -d

DEBUG: argv[5] = priv.bcollaborator.com

DEBUG: argv[6] = -d

DEBUG: argv[7] = *.priv.bcollaborator.com

DEBUG: argv[8] = --server

DEBUG: argv[9] = https://acme-v02.api.letsencrypt.org/directory

DEBUG: argv[10] = --manual

DEBUG: argv[11] = --agree-tos

DEBUG: argv[12] = --no-eff-email

DEBUG: argv[13] = --manual-public-ip-logging-ok

DEBUG: argv[14] = --preferred-challenges

DEBUG: argv[15] = dns-01

DEBUG: umask restored to 022

DEBUG: working directory restored to /etc/letsencrypt/live

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Requesting a certificate for priv.bcollaborator.com and *.priv.bcollaborator.com

An unexpected error occurred:

Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "priv.bcollaborator.com" and 1 more identifiers failed. Refer to sub-problems for more information

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): No web server. I need it to run Burp private Collaborator

The operating system my web server runs on is (include version):
Oracle Linux 7: 4.14.35-2047.510.4.1.el7uek.x86_64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Welcome to the forum @kamalpreet

Do you still need help? I see you issued a wildcard cert today

The error was about having a CAA record that did not allow Let's Encrypt. But, I no longer see any CAA record so I guess you fixed it.

Let us know if you still have this problem.

2 Likes