CAA error for issuing certificate with CN=www.cyber.army.mil


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.cyber.army.mil

I ran this command:
dig CAA www.cyber.army.mil
It produced this output:

dig CAA www.cyber.army.mil

; <<>> DiG 9.10.6 <<>> CAA www.cyber.army.mil
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58233
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cyber.army.mil. IN CAA

;; ANSWER SECTION:
www.cyber.army.mil. 3600 IN CNAME www.armypw.army.mil.edgekey.net.
www.armypw.army.mil.edgekey.net. 300 IN CNAME e16905.dscb.akamaiedge.net.

We were told by LE that there are CAA errors on domains for certificate with CN=www.cyber.army.mil. The issue is that the actual tests for CAA check work fine for the domain. The error I see in the API response from LE is below. Can we get more information on this error? How can I validate what exactly is the CAA error here? We had seen something similar with .mil domain in past.

error:
  code: le-certificate-error
  message: Error getting certificate and trust chain from Let's Encrypt
  formatString: 'Error: {0}, Detail: {1}'
  formatParameters:
  - Error getting certificate and trust chain from Let's Encrypt
  - POST to https://acme-v01.api.letsencrypt.org/acme/new-cert failed.
  timestamp: 2018-11-16T21:22:47z

#2

Why would you think the error signifies a CAA error?

It would have been helpful if you also gave the command for the issuing of the certificate, not just the dig command.


#3

In the past, Let’s Encrypt was not allowed to issue certificates for .mil domains at all, but now that rule has changed and there are a number of .mil certificates issued by Let’s Encrypt.

https://crt.sh/?Identity=%.mil&iCAID=16418

As @Osiris mentioned, it would be helpful to see the exact command and error message, or whatever communication you’ve previously had from Let’s Encrypt staff about CAA problems.