CAAIssuanceNotAllowed
Fatal
No CAA record on healthchecks.io (wildcard=false) contains the issuance domain letsencrypt.org". You must either add an additional record to include "letsencrypt.org" or remove every existing CAA record. A list of the CAA records are provided in the details. healthchecks.io. 0 IN CAA 0 issue "sectigo.com"
I have a DNS CAA record on my root domain:
healthchecks.io CAA 0 issue sectigo.com
And on a subdomain:
blog.healthchecks.io CAA 0 issue letsencrypt.org
This used to work fine and LetsEncrypt was able to issue certificates for the subdomain. Sometime in the last 3 months this started to fail and I finally noticed yesterday when the certificate for the subdomain expired.
Note that the CA will always respect the CAA record closest to the domain name it is issuing a certificate for. So if you’re requesting a cert for “www.community.example.org”, the CA will check “www.community.example.org”, then “community.example.org”, then “example.org”, stopping at the first CAA record it finds.
From this it seems that my DNS setup should have been fine.
To fix the immediate problem I added another CAA record:
healthchecks.io CAA 0 issue letsencrypt.org
And then LetsEncrypt did issue a new certificate for the subdomain. But I would like to understand why my previous setup used to work, and does not work any more.
I think the problem is, is that blog.healthchecks.io has a CNAME and it's not allowed in DNS specs to have any other RR (other than DNSSEC RRs). Thus the CAA RR next to the CNAME is ignored.
Well, I don't know how it used to work to have both a CNAME and CAA record on the same name (your DNS server should prevent it, I would think, since it doesn't make any sense), but there is at least one other recent time here of someone saying that it used to work for them until recently as well. There might have been an update on Let's Encrypt's side that ended up stopping that configuration from working anymore, but honestly I don't see how it ever would have worked. CNAME means "go look over there", saying "but also look here for one of the records" isn't a concept that DNS has.
LetsEncrypt sees the blog.healthchecks.io CNAME cdn.hardypress.com record and follows it
LetsEncrypt sees cdn.hardypress.com CNAME hardypress.b-cdn.net record and follows it
LetsEncrypt finds no CAA record for hardypress.b-cdn.net
LetsEncrypt now checks the parent domain of blog.healthchecks.io, which is healthchecks.io. This domain has a CAA record, which only allows sectigo as an issuer. So LetsEncrypt gives up.
Assuming this is correct, I guess a good solution would be for Bunny CDN to serve CAA records for all their <name>.b-cdn.net domains, so step 3 succeeds.
As a workaround I can add an extra CAA record for healthchecks.io, so step 4 succeeds. This is not ideal as it would now allow LetsEncrypt to issue certificates for more domains than intended.
If you want to add Let's Encrypt to your base CAA record, but not have it be entirely open, you may want to consider adding an accounturi to the record, which will only allow Let's Encrypt to issue when being requested from a specific ACME account.