CAA record is present, but LE won't issue?

lancedolan · November 14, 2018, 8:53pm

The "registered domain" is bcsd.com , and under that we have some dozens of subdomains, such as garza.bcsd.com.

For all subdomains, we get this output:

Error creating new cert :: Rechecking CAA: While processing CAA for <some-subdomain-here>.bcsd.com: CAA record for <some-subdomain-here>.bcsd.com prevents issuance

We have gotten that identical output for attempts on all subdomains, but not when issuing for the main "registered domain" itself.

We do have a CAA record on the registered domain itself, as can be seen here:

We do not have (and should not need) CAA records on the subdomains, as can be seen here:

If you wonder why I believe we should not need CAA records on the subdomains, I'll reference Certificate Authority Authorization (CAA) - Let's Encrypt

You can set CAA records on your main domain, or at any depth of subdomain ... CAs will check each version, from left to right, and stop as soon as they see any CAA record ... Most people who add CAA records will want to add them to their registered domain ( example.com ) so that they apply to all subdomains

We use a very old version of certbot, which is almost certainly not the cause as it generates certs for some thousands of hostnames each month without problem. This problem appears to be occurring on LE servers, after which the failure is successfully communicated back to our client software. LE apparently dislikes the CAA records on this registered domain, or is perhaps not conforming to the claim made on the official website and not honoring the CAA record on the registered domain.

My money is on some failure of ours to set up the CAA record properly, but it's passing the CAA validators online, so I'm not sure what to think.

JuergenAuer · November 14, 2018, 9:01pm

Hi @lancedolan

checking your main domain via

Some nameserver see your entry. Some (most in the USA) not

Holtsville NY, United States
Opendns -
Canoga Park, CA, United States
Sprint -
Holtsville NY, United States
Opendns -
Mountain View CA, United States
Google -
New York, United States
Columbia University -
Montreal, Canada
Videotron -
Yekaterinburg, Russian Federation
Skydns -

Perhaps there is a long TTL, so you should wait. Checked with my own main domain ( server-daten.de ), the CAA entry is global visible.

lancedolan · November 14, 2018, 9:05pm

Firstly, thanks for you time.

This problem has been occurring for 10+ days so I didn’t think prorogation could be relevant any longer. I’m a DNS novice, at best, and have the unconfident understanding that DNS TTL can’t be set higher than a day.

Seems you’ve found the first step in solving the problem, I’ll do more thinking.

lancedolan · November 14, 2018, 9:10pm

Clarification: I can see that it’s not LE’s fault. We issued certs for all of these hostnames 60+ days ago and that propagation result is a surprise to me.

JuergenAuer · November 14, 2018, 9:11pm

Oh, this is interesting.

Is it possible that the list is too long? So that some name servers are buggy?

What happens, if you pick one not working subdomain and create only an entry

0 issue "letsencrypt.org"

for this subdomain.

So the CAA for the domain is ignored.

JuergenAuer · November 14, 2018, 9:17pm

PS: A second thing is curious. Checking your subdomain via

there are "resolved" results. Complete.

Checking my own subdomain

there is nothing resolved.

Looks like you have defined something like an empty entry.

lancedolan · November 14, 2018, 9:33pm

Incredibly helpful. Again, thanks for your time in this!

mnordhoff · November 15, 2018, 3:26am

For what it’s worth, bcsd.com has DNS issues.

The delegation gives it these two nameservers:

bcsd.com.               172800  IN      NS      ns1.bcsd.com.
bcsd.com.               172800  IN      NS      xns2.bcsd.com.

However, ns1.bcsd.com gives three:

bcsd.com.               10800   IN      NS      bcsd.k12.ca.us.
bcsd.com.               10800   IN      NS      ns1.bcsd.com.
bcsd.com.               10800   IN      NS      xns2.bcsd.com.

bcsd.k12.ca.us.         28800   IN      A       151.101.0.80
bcsd.k12.ca.us.         28800   IN      A       151.101.128.80
bcsd.k12.ca.us.         28800   IN      A       151.101.192.80
bcsd.k12.ca.us.         28800   IN      A       151.101.64.80

ns1.bcsd.com.           10800   IN      A       206.227.15.131

xns2.bcsd.com.          10800   IN      A       198.78.182.32

bcsd.k12.ca.us is four Fastly CDN web server IP addresses, which don’t respond to DNS.

xns2.bcsd.com… I think it worked a few minutes ago but just went down? And when it was up, I think it said bcsd.com had no CAA records. (Which would allow Let’s Encrypt to issue, of course.)

http://dnsviz.net/d/bcsd.com/W-zjOA/dnssec/

Let’s Encrypt might just be failing due to the DNS servers being down.

system · December 15, 2018, 3:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Requesting a certificate for a subdomain fails since it doesn't have CAA record Help	15	1640	March 19, 2019
CAA error when creating certificate Help	9	540	June 9, 2024
Couldn't find a CAA record for a domain Help	11	1723	December 1, 2021
CAA & CNAME along with external service Help	10	2001	May 20, 2021
Is LE currently checking for CAA records? Issuance Tech	5	2924	May 9, 2017

CAA record is present, but LE won't issue?

Related topics