CAA record prevents issuance

Help
1

Hello,
my LE renewal fails despite nothing changed on my side since last successful renewal 2 months ago.

Tests on https://unboundtest.com and https://letsdebug.net showing all ok.

pi@pihole:[~] $ certbot --version
certbot 2.11.0
pi@pihole:[~] $ # sudo certbot renew -v --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/miharu.dedyn.io.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-desec, Installer None
Simulating renewal of an existing certificate for *.miharu.dedyn.io and miharu.dedyn.io
Reusing existing private key from /etc/letsencrypt/live/miharu.dedyn.io/privkey.pem.
Performing the following challenges:
dns-01 challenge for miharu.dedyn.io
dns-01 challenge for miharu.dedyn.io
Waiting 80 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain miharu.dedyn.io
dns-01 challenge for miharu.dedyn.io

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
Domain: miharu.dedyn.io
Type: caa
Detail: CAA record for miharu.dedyn.io prevents issuance

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

Cleaning up challenges
Failed to renew certificate miharu.dedyn.io with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

CAA is set to

grafik
grafik2229×123 16.5 KB

even by setting from 128 to 0 it is not working

2

You're not only issuing a cert for just a wildcard hostname, yet you're only using the issuewild CAA property.

Edit:
Hmm, but the following example from RFC 8659 says it should work:

The following RRset requests that only ca2.example.org issue certificates for "*.wild3.example.com" or "*.sub.wild3.example.com". It permits any Issuer to issue for "wild3.example.com" or "sub.wild3.example.com".

wild3.example.com CAA 0 issuewild "ca2.example.org"

Could this be a too strict interpretation of RFCs by Let's Encrypt? :thinking:

1 Like
3

hm :slight_smile: smth. I can change to get around the error?

4

You could try to change issuewild to issue, as the issue property also applies to wildcard hostnames. The issuewild property is only to be used if one wants different settings for wildcard hostnames vs. non-wildcard hostnames.

If issue works, then maybe Let's Encrypt should look at their CAA interpretation.

1 Like
5

will try, gimme a sec :wink:

6

doesnt work:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1550, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-11-01 09:36:50,905:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-11-01 09:36:50,909:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2024-11-01 09:36:50,911:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem (failure)
2024-11-01 09:36:50,912:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-11-01 09:36:50,913:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-11-01 09:36:50,922:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)ype or paste code here
7

@Osiris
Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
2600 Domain: miharu.dedyn.io
2601 Type: caa
2602 Detail: CAA record for miharu.dedyn.io prevents issuance
2603
2604 Domain: miharu.dedyn.io
2605 Type: caa
2606 Detail: CAA record for miharu.dedyn.io prevents issuance
2607
2608 Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

8

i still see issuewild caa on that domain

1 Like
9

I changed back after test, but can redo if required

10

btw that record also have acme-v02.api.letsencrypt.org/acme/acct/125274239 pinned as accounturi: is that right account on your server?

2 Likes
11

yes, didnt change anything since last successful renew 2months ago

12

same:

2024-11-01 10:06:46,287:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-11-01 10:06:46,291:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2024-11-01 10:06:46,292:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem (failure)
2024-11-01 10:06:46,293:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-11-01 10:06:46,294:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2024-11-01 10:06:46,302:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

;; ANSWER SECTION:
miharu.dedyn.io. 0 IN CAA 128 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1

13

could you test without accouunturi at all?

1 Like
14

why should that work without the account?

15

Because maybe your account id changed somehow and so the CAA record is now blocking the new account.

It is just a test to help isolate what, exactly, is causing the block.

Let's Encrypt issues about 5 million certs per day. And, many domains have CAA records. A general problem with CAA would cause many problems which we are not seeing (yet, anyway). There is something more specific happening in this case so it helps to know exactly what.

Also, when showing the letsencrypt.log file please show the Certbot error. The bottom part with the python traceback is rarely useful and is not in this case.

3 Likes
16

then only:

grafik
grafik2205×119 11.2 KB

?

17

ok, runs with this setup:
miharu.dedyn.io. 3504 IN CAA 128 issuewild "letsencrypt.org"

18

uh, runs fine without

2024-11-01 16:43:00,950:DEBUG:certbot._internal.display.obj:Notifying user: Congratulations, all simulated renewals succeeded:
2024-11-01 16:43:00,951:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem (success)
2024-11-01 16:43:00,952:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-11-01 16:43:00,953:DEBUG:certbot._internal.renewal:no renewal failures

in dry-run, so what next now, I guess the account somehow is neeed ....?

19

Is the problem that you only put your production account in your CAA record, but are doing testing on the staging Let's Encrypt system? In general, if you're going to have an account-restricted CAA record, you're going to want to have an entry for production and an entry for staging.

I think certbot show_account --staging will get you your staging account URI, if you need it.

4 Likes
20

no, I only the the production one, so do I re-insert the "only" URI setting, I guess that was the prod one .... didnt use the stage one for long time