CAA error for www.hamptongenesis.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

We are seeing CAA error for domain www.hamptongenesis.com. When I run standard CAA checks, I do not see any errors. It would be helpful if we can get more details on the error here.

My domain is: www.hamptongenesis.com

I ran this command: dig CAA www.hamptongenesis.com
dig CAA@ns2.dealer.com www.hamptongenesis.com
dig CAA@ns1.dealer.com www.hamptongenesis.com

https://unboundtest.com/m/CAA/www.hamptongenesis.com/5JQVFM2L

It produced this output:

dig CAA@ns2.dealer.com www.hamptongenesis.com

; <<>> DiG 9.10.6 <<>> CAA@ns2.dealer.com www.hamptongenesis.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4606
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;CAA@ns2.dealer.com. IN A

;; ANSWER SECTION:
CAA@ns2.dealer.com. 60 IN A 64.70.56.99

;; Query time: 167 msec
;; SERVER: 172.27.112.15#53(172.27.112.15)
;; WHEN: Thu Jun 20 13:12:12 EDT 2019
;; MSG SIZE rcvd: 63

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11251
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hamptongenesis.com. IN A

;; ANSWER SECTION:
www.hamptongenesis.com. 266 IN CNAME le0244.secure.dealer.com.edgekey.net.
le0244.secure.dealer.com.edgekey.net. 21566 IN CNAME e24230.dscx.akamaiedge.net.
e24230.dscx.akamaiedge.net. 20 IN A 104.70.121.171
e24230.dscx.akamaiedge.net. 20 IN A 104.70.121.203

;; Query time: 78 msec
;; SERVER: 172.27.112.15#53(172.27.112.15)
;; WHEN: Thu Jun 20 13:12:12 EDT 2019
;; MSG SIZE rcvd: 170

My web server is (include version):

The operating system my web server runs on is (include version):

Can you post the exact error message you are getting?

You're missing a space in the later ones. It should be dig CAA @ns2.dealer.com www.hamptongenesis.com or, as I usually write it, dig CAA www.hamptongenesis.com @ns2.dealer.com.

Also for completeness with regards to the CAA algorithm you'll want to query the parent domain dig CAA hamptongenesis.com @ns2.dealer.com.

You're right that those commands appear to work. Hopefully the full error message from the server will help. Also: Does this happen reliably every time you try to issue for this domain? And is this domain grouped together with a lot of other domains on a cert?

Thanks @jsha for your response.The error text is below

error:
  code: le-certificate-error
  message: Error getting certificate and trust chain from Let's Encrypt
  formatString: 'Error: {0}, Detail: {1}'
  formatParameters:
  - urn:acme:error:caa
  - 'Error creating new cert :: Rechecking CAA for "www.hamptongenesis.com" and
    1 more identifiers failed. Refer to sub-problems for more information'
  data:
    message: urn:acme:error:caa
    detail: 'Error creating new cert :: Rechecking CAA for "www.hamptongenesis.com"
      and 1 more identifiers failed. Refer to sub-problems for more information'
  errorGroup:
    code: invalid-input
    message: Invalid Input
timestamp: 2019-06-20T16:32:31z

Ah, good to know. We recently added support for RFC 8555 “subproblems” specifically to help with this use case where there are multiple problems in a single request, that all apply to different domains. See https://tools.ietf.org/html/rfc8555#section-6.7.1.

There’s a field in the error response that’s not showing up in the output you provided, called “subproblems.” Are you able to get that field? If not, I’d recommend tweaking your ACME software so that it gets logged as well. That will tell you about the other identifier that failed rechecking. If you want to make more detailed fixes to your software, you can even use the identifier data in a subproblem to automatically split out problematic domain names from a larger certificate.

Also, could you please answer these questions:

Actually, @rmbolger spotted a bug in our implementation, so the subproblems won’t actually show up yet. Sorry for the confusion!

Since the bug in our implementation makes it hard for you to diagnose this independently, I took a look at our logs. It appears the the problem is actually with greenfamilygenesis.com and www.greenfamilygenesis.com. You can reproduce this yourself with:

$ dig CAA greenfamilygenesis.com

; <<>> DiG 9.11.4-3ubuntu5.3-Ubuntu <<>> CAA greenfamilygenesis.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33258
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0f5df2f9427a08a6c82958795d0be77b0b33b472f7db6f5e (good)
;; QUESTION SECTION:
;greenfamilygenesis.com.                IN      CAA

;; Query time: 21 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Jun 20 13:07:23 PDT 2019
;; MSG SIZE  rcvd: 79
1 Like

@jsha Thanks for helping out here. I will check with our team regarding “subproblems”.

1 Like

Please note the thread I linked above; subproblems won’t be fully ready for use until next Thursday. But the team can start reading about them in the RFC and planning support before then. Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.