Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: *.beta-4.radix.equinor.com
I ran this command:
certbot certonly --dry-run --manual --preferred-challenges dns-01 -d *.beta-4.radix.equinor.com
It produced this output:
Failed authorization procedure. beta-4.radix.equinor.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for beta-4.radix.equinor.com IMPORTANT NOTES: - The following errors were reported by the server: Domain: beta-4.radix.equinor.com Type: None Detail: DNS problem: SERVFAIL looking up CAA for beta-4.radix.equinor.com
My hosting provider, if applicable, is: Azure DNS manages DNS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot): certbot 0.28.0
However, when running “dig caa” locally I get NXDOMAIN and not SERVFAIL. As far as I can tell from https://letsencrypt.org/docs/caa/ " You can set CAA records on your main domain, or at any depth of subdomain. For instance, if you had
www.community.example.com , you could set CAA records for the full name, or for
community.example.com , or for
example.com . CAs will check each version, from left to right, and stop as soon as they see any CAA record." getting a NXDOMAIN should be fine and allow the certificate to be issued.
When adding the CAA record to the subdomain it suddenly works though:
az network dns record-set caa add-record -g common --zone-name radix.equinor.com --record-set-name beta-4 --flags 0 --tag "issue" --value "letsencrypt.org" sudo certbot certonly --manual --preferred-challenges dns-01 -d *.beta-4.radix.equinor.com - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/beta-4.radix.equinor.com/fullchain.pem
This has been working for 7-8 months until we started getting Authorization Failure Rate Limit errors a few days ago and started troubleshooting. We have also been in contact with Microsoft support which could not provide any other assistance than suggest trying to add CAA directly to beta-4.radix.equinor.com.