Since today, the renewal of my certificates fails, I'm getting the error "Challenge failed: CAA record for *.abrecht.li prevents issuance". It was working before for years, and I haven't changed anything. I do have a CAA record, and it does list letsencrypt:
dpa@dragonfly:~$ nslookup -query=CAA abrecht.li
Server: 10.60.10.2
Address: 10.60.10.2#53
Non-authoritative answer:
abrecht.li rdata_257 = 128 iodef "mailto:caa@danielabrecht.ch"
abrecht.li rdata_257 = 128 issuewild "letsencrypt.org; validationmethods=dns01"
abrecht.li rdata_257 = 128 issue "letsencrypt.org; validationmethods=dns01"
I tried adding the "issuewild" entry today after I got that error, but it didn't help at all. DNSSEC also seams to still work fine. I don't see anything wrong on my side, so please fix whatever has broken at LE.
My domain is: dpa.li, abrecht.li, danielabrecht.ch
I ran this command:
./DPA-ACME2/dpa-acme2.py \
--ca https://acme-v02.api.letsencrypt.org/directory \
--account-key account.key \
--csr certs/domains.csr \
--output certs/domains-new.pem \
--contact mailto:letsencrypt@danielabrecht.ch \
-- \
dns-01 zone-update.py --server 127.0.0.1
But that's not relevant, the error was returned from letsencrypts servers.
It produced this output:
File "/var/local/acme/./DPA-ACME2/dpa-acme2.py", line 170, in completeChallenge
raise Exception('Challenge failed: '+challenge_result['error']['detail'])
Exception: Challenge failed: CAA record for *.abrecht.li prevents issuance
My web server is (include version):
I'm using bind9 and the DNS01 challenge
My hosting provider, if applicable, is: Me
I can login to a root shell on my machine (yes or no, or I don't know): yes