CAA record prevents issuance

Help
53

I am posting this to help others in the future. :slightly_smiling_face:

More restrictive CAA record fields demonstration
for both Let's Encrypt production and staging environments.

This is for the DNS-01 challenge of the Challenge Types - Let's Encrypt

I am demonstration with a test domain of mine and Certbot Instructions | Certbot
I had a propagation issue with the default of 80 second so I change to 300 seconds with this option added to the certbot command line --dns-desec-propagation-seconds=300

$ nslookup -q=caa fivvy.us.eu.org ns1.desec.io.
;; Truncated, retrying in TCP mode.
Server:         ns1.desec.io.
Address:        45.54.76.1#53

fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"

$ nslookup -q=caa fivvy.us.eu.org ns2.desec.org.
;; Truncated, retrying in TCP mode.
Server:         ns2.desec.org.
Address:        157.53.224.1#53

fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314"
fivvy.us.eu.org rdata_257 = 128 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1483983656"

$ sudo certbot show_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-v02.api.letsencrypt.org/directory:
  Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/1483983656
  Account Thumbprint: QX3VW-VjJ6ZlVTPv9Mm6QR6zMQW8U1pGGXPI0CP4psI
  Email contact: bam@figment.biz

$ sudo certbot show_account --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-staging-v02.api.letsencrypt.org/directory:
  Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/130474314
  Account Thumbprint: kHnkBT36Jx_qD9cOeAg1Bs-7pMT4UC8DNzoY6moVaCk
  Email contact: none

$ sudo certbot renew --dry-run --renew-by-default -v --dns-desec-propagation-seconds=300
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fivvy.us.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-desec, Installer None
Simulating renewal of an existing certificate for fivvy.us.eu.org and *.fivvy.us.eu.org
Performing the following challenges:
dns-01 challenge for fivvy.us.eu.org
dns-01 challenge for fivvy.us.eu.org
Waiting 300 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/fivvy.us.eu.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot renew --renew-by-default -v --dns-desec-propagation-seconds=300
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fivvy.us.eu.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-desec, Installer None
Renewing an existing certificate for fivvy.us.eu.org and *.fivvy.us.eu.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/fivvy.us.eu.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fivvy.us.eu.org
    Serial Number: 4cc83e3d16d09496a1e1fb99732673fe632
    Key Type: ECDSA
    Domains: fivvy.us.eu.org *.fivvy.us.eu.org
    Expiry Date: 2025-01-30 17:42:41+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fivvy.us.eu.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fivvy.us.eu.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot --version
certbot 2.11.0
4 Likes