My domain is: siren.io and siren.solutions
I ran this command:
certbot certonly --dry-run -d r12-0.volatile.siren.io --webroot --webroot-path /var/www/
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for r12-0.volatile.siren.io
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain r12-0.volatile.siren.io
http-01 challenge for r12-0.volatile.siren.io
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: r12-0.volatile.siren.io
Type: caa
Detail: CAA record for siren.io prevents issuance
My web server is (include version): apache 2.4
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0
Further notes:
We have been using letsencrypt without any CAA issues for several years.
The CAA for this domain is correct: https://caatest.co.uk/r12-0.volatile.siren.io
The earliest renewal failure was logged at 0733Z on Friday 26th, but the same issue is now affecting all pending renewals and fresh issuances across our domains siren.io and siren.solutions. I have not been able to reproduce on any other domains, e.g. my personal domain which also uses letsencrypt with a similar CAA record.