CAA error when creating certificate

We have a domain that does not have the CAA to allow letsencrypt to create certificate; but if we have it enabled in a subdomain of that main domain and gives us the following error:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: subdomain.domain.com
Type: caa
Detail: CAA record for domain.com prevents issuance

What could be the problem?

Your thread is more suitable for the Help section instead of the Issuance Tech category. I'll move it for you.

If you would have opened this thread in the Help section, you would have been provided with a questionnaire. Please fill out the questionnaire below to the best of your knowledge:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

If you want specific advice we need the info shown in the form Osiris posted

It would also be helpful to review how CAA should work and explain exactly what you have done. See this section in the CAA docs

2 Likes

It's going to be hard to help without the actual domain name, but just like it says, if your CAA record doesn't allow Let's Encrypt then it won't work. That page @MikeMcQ linked also links to the SSLMate’s CAA Record Generator which might be helpful for making sure your record says what you think it should.

3 Likes

Hi, I pass the data to you:

My domain is: formaciones.firmaprofesional.com

I ran this command:

certbot certonly
--cert-name formaciones.firmaprofesional.com
--manual
-d formaciones.firmaprofesional.com > $FILE_OUTPUT_CERTBOT

It produced this output:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: formaciones.firmaprofesional.com
Type: caa
Detail: During secondary validation: CAA record for firmaprofesional.com prevents issuance

My web server is (include version):
No relevant

The operating system my web server runs on is (include version):
Ubuntu 22.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.10.0

Thx for the help

1 Like

You have quite the interesting CAA RR set:

firmaprofesional.com.	300	IN	CAA	0 issuewild "firmaprofesional.com"
firmaprofesional.com.	300	IN	CAA	0 issue "firmaprofesional.com"

I doubt your a CA? In any case, the presence of these CAA RRs are blocking issuance for CAs that are not named firmaprofesional.com.

I also see you have a CNAME RR set for formaciones.firmaprofesional.com. It's not allowed to have any other RR other than DNSSEC RRs present together with CNAME. This includes CAA RRs. The CNAME points to cluster.evolmind.com which does not have a CAA RR set.

3 Likes

Hello!

Thank you very much, we have created the RR resgitro at cluster.evolcampus.com and it is already working.

Actually, firmaprofesional is a CA and also a CA/B member (Firmaprofesional | PKI Consortium)

4 Likes

Hm, they are indeed listed at Members | CA/Browser Forum, I stand corrected.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.