CAA record is present, but LE won't issue?


#1

The “registered domain” is bcsd.com , and under that we have some dozens of subdomains, such as garza.bcsd.com.

For all subdomains, we get this output:

Error creating new cert :: Rechecking CAA: While processing CAA for <some-subdomain-here>.bcsd.com: CAA record for <some-subdomain-here>.bcsd.com prevents issuance

We have gotten that identical output for attempts on all subdomains, but not when issuing for the main “registered domain” itself.

We do have a CAA record on the registered domain itself, as can be seen here:
https://caatest.co.uk/bcsd.com

We do not have (and should not need) CAA records on the subdomains, as can be seen here:
https://caatest.co.uk/seal.bcsd.com

If you wonder why I believe we should not need CAA records on the subdomains, I’ll reference https://letsencrypt.org/docs/caa/

You can set CAA records on your main domain, or at any depth of subdomain … CAs will check each version, from left to right, and stop as soon as they see any CAA record … Most people who add CAA records will want to add them to their registered domain ( example.com ) so that they apply to all subdomains

We use a very old version of certbot, which is almost certainly not the cause as it generates certs for some thousands of hostnames each month without problem. This problem appears to be occurring on LE servers, after which the failure is successfully communicated back to our client software. LE apparently dislikes the CAA records on this registered domain, or is perhaps not conforming to the claim made on the official website and not honoring the CAA record on the registered domain.

My money is on some failure of ours to set up the CAA record properly, but it’s passing the CAA validators online, so I’m not sure what to think.


#2

Hi @lancedolan

checking your main domain via

Some nameserver see your entry. Some (most in the USA) not

Holtsville NY, United States
Opendns -
Canoga Park, CA, United States
Sprint -
Holtsville NY, United States
Opendns -
Mountain View CA, United States
Google -
New York, United States
Columbia University -
Montreal, Canada
Videotron -
Yekaterinburg, Russian Federation
Skydns -

Perhaps there is a long TTL, so you should wait. Checked with my own main domain ( server-daten.de ), the CAA entry is global visible.


#3

Firstly, thanks for you time. :smiley:

This problem has been occurring for 10+ days so I didn’t think prorogation could be relevant any longer. I’m a DNS novice, at best, and have the unconfident understanding that DNS TTL can’t be set higher than a day.

Seems you’ve found the first step in solving the problem, I’ll do more thinking.


#4

Clarification: I can see that it’s not LE’s fault. We issued certs for all of these hostnames 60+ days ago and that propagation result is a surprise to me.


#5

Oh, this is interesting.

Is it possible that the list is too long? So that some name servers are buggy?

What happens, if you pick one not working subdomain and create only an entry

0 issue "letsencrypt.org"

for this subdomain.

So the CAA for the domain is ignored.


#6

PS: A second thing is curious. Checking your subdomain via

there are “resolved” results. Complete.

Checking my own subdomain

there is nothing resolved.

Looks like you have defined something like an empty entry.


#7

Incredibly helpful. Again, thanks for your time in this!


#8

For what it’s worth, bcsd.com has DNS issues.

The delegation gives it these two nameservers:

bcsd.com.               172800  IN      NS      ns1.bcsd.com.
bcsd.com.               172800  IN      NS      xns2.bcsd.com.

However, ns1.bcsd.com gives three:

bcsd.com.               10800   IN      NS      bcsd.k12.ca.us.
bcsd.com.               10800   IN      NS      ns1.bcsd.com.
bcsd.com.               10800   IN      NS      xns2.bcsd.com.

bcsd.k12.ca.us.         28800   IN      A       151.101.0.80
bcsd.k12.ca.us.         28800   IN      A       151.101.128.80
bcsd.k12.ca.us.         28800   IN      A       151.101.192.80
bcsd.k12.ca.us.         28800   IN      A       151.101.64.80

ns1.bcsd.com.           10800   IN      A       206.227.15.131

xns2.bcsd.com.          10800   IN      A       198.78.182.32

bcsd.k12.ca.us is four Fastly CDN web server IP addresses, which don’t respond to DNS.

xns2.bcsd.com… I think it worked a few minutes ago but just went down? And when it was up, I think it said bcsd.com had no CAA records. (Which would allow Let’s Encrypt to issue, of course.)

http://dnsviz.net/d/bcsd.com/W-zjOA/dnssec/

Let’s Encrypt might just be failing due to the DNS servers being down.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.