You want a CAA record with multiple entries, like this:
0 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/0000000"
0 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/99999999"
(Or use issuewild if you do in fact want the restrictions only on wildcard certificates, and no restrictions on non-wildcards)
no no, only one, nothing with staging, I reinserted the URI back and now it again fails:
Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
Domain: miharu.dedyn.io
Type: caa
Detail: CAA record for miharu.dedyn.io prevents issuance
So why what is wrong out of a sudden with the URI? How can it be fixed?
;; ANSWER SECTION:
miharu.dedyn.io. 0 IN CAA 128 issuewild "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/125274239"
it works in dry-run WITHOUT URI .....
The --dry-run uses staging
What do these show
sudo certbot show_account
sudo certbot show_account --staging
sudo certbot show_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-v02.api.letsencrypt.org/directory:
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/125274239
Account Thumbprint: xxx
Email contact: xxx@xxx.com
sudo certbot show_account --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-staging-v02.api.letsencrypt.org/directory:
Account URL: https://acme-staging-v02.api.letsencrypt.org/acme/acct/20150032
Account Thumbprint: xxx
Email contact: xxx@xxx.com
Thanks. I really thought we were going to see that your account ID had changed.
Just as a test, could you change your CAA record to this
0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/125274239"
And, if you plan to use --dry-run again you need to add a second value like
0 issue "letsencrypt.org;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/20150032
Hi @un99known99,
Why not just simplify the domain's CAA Record to this?
added, I cant add a 2nd one for staging, so changed to 0 and issue, what next?
miharu.dedyn.io. 0 IN CAA 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/125274239"
seriously, yes, why not, but whats the URI then for? for what is that required then?
further restriction
I run the way I posted.
so safe enough I guess? It is crazy as the last time 60 days ago allworked and I didnt change anything in between ...
I believe so; however one can always add more safety at the expense of being more difficult.
Having multiple CAA records should be a very normal thing that your DNS provider should be able to handle.
That was the command in your first post. So, we know --dry-run will fail with CAA and accounturi that ONLY includes your production account.
Adding a second CAA value should work. You might need to ask your DNS provider.
Still, try this command ONCE now. You already got a valid production cert earlier today so we need force to issue another one. You won't be able to use --dry-run until you get CAA accounturi for that.
sudo certbot renew --force-renew
Using force can soon get you blocked due to rate limits. So, best to fix your CAA than repeatedly using --force.
yes 2nd possible, sry, stupid me, will add 2nd and "0 issue letsencrypt", what does 0 and issue stand for?
Let's Encrypt CAA support is described here: Certificate Authority Authorization (CAA) - Let's Encrypt
Okay good on staging CAA. Now try
sudo certbot renew --dry-run
ok, that worked ( sudo certbot renew --dry-run):
2024-11-01 17:36:24,293:DEBUG:certbot._internal.display.obj:Notifying user: Congratulations, all simulated renewals succeeded:
2024-11-01 17:36:24,294:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/miharu.dedyn.io/fullchain.pem (success)
2024-11-01 17:36:24,295:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-11-01 17:36:24,296:DEBUG:certbot._internal.renewal:no renewal failures
Okay. Good. We were fighting two problems with similar symptoms.
One was --dry-run was failing because the accounturi did not allow staging to issue cert
And, possibly the issuewild is too strict by Let's Encrypt and only allowing wildcard names in the cert and not the root name too. This was pointed out earlier but results got messed up due to the --dry-run account.
You got a valid production cert today which your server is using. So your system should be operating properly. And, --dry-run works with that format of CAA record.
Let us try to reproduce your problem offline. It may take a day or two and we'll let you know. Does that sound good?