Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: www.cyber.army.mil
I ran this command:
dig CAA www.cyber.army.mil
It produced this output:
dig CAA www.cyber.army.mil
; <<>> DiG 9.10.6 <<>> CAA www.cyber.army.mil
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58233
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cyber.army.mil. IN CAA
;; ANSWER SECTION:
www.cyber.army.mil. 3600 IN CNAME www.armypw.army.mil.edgekey.net.
www.armypw.army.mil.edgekey.net. 300 IN CNAME e16905.dscb.akamaiedge.net.
We were told by LE that there are CAA errors on domains for certificate with CN=www.cyber.army.mil. The issue is that the actual tests for CAA check work fine for the domain. The error I see in the API response from LE is below. Can we get more information on this error? How can I validate what exactly is the CAA error here? We had seen something similar with .mil domain in past.
error:
code: le-certificate-error
message: Error getting certificate and trust chain from Let's Encrypt
formatString: 'Error: {0}, Detail: {1}'
formatParameters:
- Error getting certificate and trust chain from Let's Encrypt
- POST to https://acme-v01.api.letsencrypt.org/acme/new-cert failed.
timestamp: 2018-11-16T21:22:47z