Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for “grotenhuismakelaardij.nl” and 1 more identifiers failed. Refer to sub-problems for more information
My web server is (include version):
nginx-plus 17-1~stretch
The operating system my web server runs on is (include version):
Debian 9
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
This error would happen if one or more of your authoritative nameservers started to return a SERVFAIL or another error for the CAA lookup query. Sometimes this happens with very large orders such as yours when the nameserver can’t handle the volume of requests generated by checking so many domains at once, or if it thinks it is under attack by Let’s Encrypt’s recursive resolver.
What sort of authoritative DNS setup do you use? Do you have any logs that might confirm this?
You might also consider issuing more certificates with less names per certificate. This has advantages above and beyond potentially mitigating this problem for you.
FYI: The problem was solved by the DNS hoster (they did not mention what they did).
The following is an interesting statement:
“You might also consider issuing more certificates with less names per certificate. This has advantages above and beyond potentially mitigating this problem for you.”
We changed the names limit to 50% of what we used to (which was to follow the limit set by letsencrypt in the documentation). This did help mitigating the problem by forcing new names to go into a new certificate and thereby avoiding the problem name.
Just for my and probably others curiosity, can you give a couple of example above and beyond advantages?
Glad to hear they were able to find a solution for you. Thanks for reporting back!
Overall I think the argument is one of improved agility. Managing large shared certificates as names come and go (perhaps customers signing up for a service, or leaving it later) is cumbersome.
It's also possible based on the baseline requirements trusted CAs are bound by to have a single owner of a domain used in a shared certificate force the revocation of the entire certificate. Putting many names on one certificate increases the number of names that may be affected by a revocation like that.
Historically the primary advantage of a certificate with many subjects was to avoid needing a dedicated IP address when Server Name Indication (SNI) support wasn't yet prevalent. I don't think this advantage holds much weight in 2019 because the majority of clients support SNI and deprecations of TLS 1.0/1.1 are also helping to accelerate that trend.
Hope that helps! I think there are probably other advantages but those are the one's front of mind.