CAA record issue while renewing

Check this out for all details you need… hopefully.

“sudo letsencrypt renew” returned following. Since ssl is valid only for week now, and couldn’t find any step-2-step guide for this issue, I’ve created new thread.

System is running on raspberry pi 3B+ & raspbian, kernel version 4.19.66-v7. Only use this for hosting owncloud server.

Since I’ve got my domain via my router’s configuration page, I have no information nor knowledge to DNS I’m using. (Picture is showing another domain I can’t get certificate from, but you get the point.)

certbot version is 0.28.0.

1 Like

There is no CAA record for koishinorouter.ipdisk.co.kr, so Let’s Encrypt looks at the hostname with a DNS field less: ipdisk.co.kr. That hostname does have a CAA record:

ipdisk.co.kr.		38400	IN	CAA	0 issue ";"
ipdisk.co.kr.		38400	IN	CAA	0 issuewild ";"

This prevents the issuance of any certificate authority.

You can restart issuing certificates again by generating your own CAA record and put it at koishinorouter.ipdisk.co.kr. See for example https://sslmate.com/caa/ to generate a CAA record.

3 Likes

Thanks for reply! But this brings few new question to me that google couldn’t answer (Sorry for lack of knowledge!):

  • How I ‘put’ CAA in domain?

  • Why letsencrypt didn’t have this problem when I first issued certificate for this exact domain? That was just 3 months ago, long after CAA bug in letsencrypt.

  • The only option iptime providing for DDNS is name field, no CAA fields at all. In this case I can’t renew certificate at all?

That may be their intention, yes. You should ask iptime why they have created that CAA record.

2 Likes

So creating new certificate works without CAA, but not renewing it… Sounds weird to me. Could this mean I can just wait until certs expires and create new certification for same domain?

No, you can’t create OR renew a certificate with that CAA record.

More likely what happened is:

  1. That CAA record didn’t exist
  2. You created your certificate
  3. iptime added the CAA record
  4. You tried to renew the certificate
2 Likes

Makes sense, gonna ask iptime about this, and better find new DNS too. Thanks for help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.