CAA record prevents issuance

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: talksports.page

I ran this command: certbot renew --dry-run

It produced this output: Detail:
Attempting to renew cert (talksports.page) from /etc/letsencrypt/renewal/talksports.page.conf produced an unexpected error: FAiled authorization procedure. talksports.page (http-01): urn:ietf:params:acme:error:caa :: CAA record for talksports.page prevents issuance. Skipping.

CAA record for talksports.page prevents issuance
or sometimes it says:
DNS Problem: SERVFAIL looking up CAA for talksports.page - the domain’s nameservers may be malfunctioning

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

As additional information, some cites report me as having no CAA set, others like ssllabs make it look like everything is correct.

On digital ocean, my settings look like:

|CAA|talksports.page
authorization: letsencrypt.org
issue|60|

I can’t even begin to list the number of sites I have looked at to get ideas but nothing is working.

Hi @rybussell

there is a check of your domain, ~~3 hours old - https://check-your-website.server-daten.de/?q=talksports.page (checked new, not seen the old result).

Ah, the old check:

The new:

2020-01-24.talksports.page.21079×191 4.9 KB

Mhm. ns1.digitalocean.com is one of your name servers.

Unboundtest https://unboundtest.com/m/CAA/talksports.page/KNZZSPZ3 has a lot of Throwaway results and a Servfail.

Your value

looks wrong. Perhaps remove the entry complete. Looks like there are completely wrong values.

PS: The CAA entry must have a special format. So if you use a wrong definition -> may be a Servfail.

PPS: Your www CAA entry is correct. Create the same entry with your non-www domain name.

PPPS: Your first check - there was no error. So it looks that you have defined something wrong that creates a ServFail.

Weird… My WWW and my non-WWW are the exact same with the exception of the www…

image1194×297 17.3 KB

Remove the non-www version.

Checked manual - the same result: www works, non-www not, a Servfail.

PS: Now it works, 22:36

I changed the non-www version to issue wild… I’m just gonna remove it completely though… Thanks for the help!

Yep, now the result is empty.

Looks like a temporary problem of ns1.digitalocean.com.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.