CAA record problem

I ran this command :
sudo certbot certonly \
--manual
--preferred-challenges "dns-01"
--server "https://dv-sxg.acme-v02.api.pki.goog/directory"
--domains "example.com"

Output :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com


Please deploy a DNS TXT record under the name:

_acme-challenge.example.com.

with the following value:

12345gsfafaf1231243sfdbsgfdg452fds

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: Dig (DNS lookup).
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.


Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: example.com
Type: caa
Detail: A conflicting CAA "issue" property was found at "example.com." which prohibits "pki.goog" from issuing this class of certificates for this domain.

Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Now I already created a CAA record in my hosted zone and put a value there for "pki.goog".

What should I do now?

  1. This forum is primarily for Let's Encrypt support, not Google PKI support (though yeah, Certbot for some reason directs people here regardless of which CA one is using).
  2. It's going to be hard for anyone to help you without knowing the actual domain name. But it looks like the error says that your CAA record is not allowing pki.goog to issue. So you need to ensure that your CAA record actually includes all CAs that you want to issue for your domain (or remove it if you're fine with all CAs issuing for you). You might want to try out SSLMate's CAA Tool.
5 Likes

Undo any manually created TXT record(s) and start over.

2 Likes

I did this quite few times but didn't work for me

There is not much more we can do without an actual FQDN.

4 Likes

There doesn't seem to be any CAA record on example.com, at least according to Google's public DNS servers. I'm not sure why their PKI infrastructure would be checking different DNS records, so this sounds like a bug on Google's end.

dig @8.8.8.8 -tCAA example.com
; <<>> DiG 9.10.6 <<>> @8.8.8.8 -tCAA example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11341
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.			IN	CAA

;; AUTHORITY SECTION:
example.com.		1374	IN	SOA	ns.icann.org. noc.dns.icann.org. 2022091128 7200 3600 1209600 3600

;; Query time: 34 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 19 20:17:12 EDT 2022
;; MSG SIZE  rcvd: 96

I seriously doubt they are in control of domain example.com.
So, I repeat myself:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.