Since today, the renewal of my certificates fails, I'm getting the error "Challenge failed: CAA record for *.abrecht.li prevents issuance". It was working before for years, and I haven't changed anything. I do have a CAA record, and it does list letsencrypt:
dpa@dragonfly:~$ nslookup -query=CAA abrecht.li Server: 10.60.10.2 Address: 10.60.10.2#53 Non-authoritative answer: abrecht.li rdata_257 = 128 iodef "mailto:firstname.lastname@example.org" abrecht.li rdata_257 = 128 issuewild "letsencrypt.org; validationmethods=dns01" abrecht.li rdata_257 = 128 issue "letsencrypt.org; validationmethods=dns01"
I tried adding the "issuewild" entry today after I got that error, but it didn't help at all. DNSSEC also seams to still work fine. I don't see anything wrong on my side, so please fix whatever has broken at LE.
My domain is: dpa.li, abrecht.li, danielabrecht.ch
I ran this command:
./DPA-ACME2/dpa-acme2.py \ --ca https://acme-v02.api.letsencrypt.org/directory \ --account-key account.key \ --csr certs/domains.csr \ --output certs/domains-new.pem \ --contact mailto:email@example.com \ -- \ dns-01 zone-update.py --server 127.0.0.1
But that's not relevant, the error was returned from letsencrypts servers.
It produced this output:
File "/var/local/acme/./DPA-ACME2/dpa-acme2.py", line 170, in completeChallenge raise Exception('Challenge failed: '+challenge_result['error']['detail']) Exception: Challenge failed: CAA record for *.abrecht.li prevents issuance
My web server is (include version):
I'm using bind9 and the DNS01 challenge
My hosting provider, if applicable, is: Me
I can login to a root shell on my machine (yes or no, or I don't know): yes