CAA fail for domain with no CAA record and no SERVFAIL

marktheunissen · October 13, 2017, 1:20pm

Hi team, we are seeing the following error returned:

403 urn:acme:error:caa: Error creating new cert :: Rechecking CAA: While processing CAA for theworkflowexpert.inmotionnow.com: CAA record for theworkflowexpert.inmotionnow.com prevents issuance

However the domain theworkflowexpert.inmotionnow.com does not appear to have a CAA record, and we don't get a SERVFAIL when doing a query, so it's not really clear how we can fix this. Any tips from the Boulder logs as to what might be going wrong?

Thanks
Mark

marktheunissen · October 13, 2017, 1:21pm

unboundtest also returns no problems:

https://unboundtest.com/m/CAA/theworkflowexpert.inmotionnow.com/74KN4C33

Query results for CAA theworkflowexpert.inmotionnow.com

Response:
;; opcode: QUERY, status: NOERROR, id: 49502
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;theworkflowexpert.inmotionnow.com.	IN	 CAA

;; ANSWER SECTION:
theworkflowexpert.inmotionnow.com.	300	IN	CNAME	live-inmotionnow-theworkflowexpert.pantheonsite.io.
live-inmotionnow-theworkflowexpert.pantheonsite.io.	600	IN	CNAME	fe1.edge.pantheon.io.

;; AUTHORITY SECTION:
edge.pantheon.io.	0	IN	SOA	ns-644.awsdns-16.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

pfg · October 13, 2017, 1:40pm

A CAA record exists for inmotionnow.com:

0 issuewild "godaddy.com"
0 issue ";"
0 issuewild "starfieldtech.com"
0 iodef "mailto:support@inmotionnow.com"

CAA records are “inherited” by subdomains if they have no CAA record of their own. If you have sufficient control over the subdomain to add your own CAA record on it, you can get around this, but otherwise, you (or whoever controls the domain) would need to change or remove the CAA record on inmotionnow.com.

cpu · October 13, 2017, 1:49pm

As @pfg points out (thanks!) the problem is with the parent domain of "theworkflowexpert.inmotionnow.com". A common point of confusion with UnboundTest is that it doesn't implement the CAA checking algorithm that Boulder uses, it only recreates single queries. This makes sense since it's a vanilla Unbound instance and Unbound wouldn't have any need to implement the CAA checking algorithm defined for CAs since it isn't a CA To match Boulder's CAA enforcement you need to manually drive UnboundTest to do a series of queries the same way that Boulder does. E.g. one for theworkflowexpert.inmotionnow.com and then one for inmotionnow.com.

cpu · October 13, 2017, 1:55pm

I think we still have some work to do with this error message. I would have expected it to say:

"Error creating new cert :: Rechecking CAA: While processing CAA for theworkflowexpert.inmotionnow.com: CAA record for inmotionnow.com prevents issuance"

I opened Err message for CAA record preventing issuance includes wrong domain. · Issue #3171 · letsencrypt/boulder · GitHub for this to try and iterate. Apologies, I thought we had fixed this better in Include original domain in `treeClimbingLookupCAAWithCount` errors · Issue #3094 · letsencrypt/boulder · GitHub

system · November 12, 2017, 1:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
False CAA failure when issuing certs Issuance Tech	35	4100	August 9, 2018
SERVFAIL causing issuance failures, unable to reproduce in Unbound or locally Help	46	4315	September 6, 2018
CAA SERVFAIL changes API Announcements	3	15584	September 7, 2017
SERVFAIL looking up CAA Warning Help	17	1524	April 5, 2022
DNS problem: SERVFAIL looking up CAA for domain Help	12	17433	September 6, 2017

CAA fail for domain with no CAA record and no SERVFAIL

Related topics