CAA Record time-to-live?

I've had an accounturi CAA record on my account for years but apparently just now Let's Encrypt is checking that field. That's great, unfortunately my domain is now failing to renew. My accounturi was set to the acme-v01 server as this was the account uri in my regr.json file.

I looked at the "Finding Account IDS" documentation (here Finding Account IDs - Let's Encrypt) and looked at the Boulder-Requester header being used to renew my cert against the acme-v02.api.letsencrypt.org server and it turns out the actual ID is the same. So I changed my CAA record to point to the acme-v02 server instead (URL template: https://acme-v02.api.letsencrypt.org/acme/acct/)

I tried renewing again using certbot and it returned the same CAA authorization failure. Okay, so then I removed the CAA record altogether. Still it's failing. How long are the CAA records cached on Let's Encrypt's end?

Hello @jkasyd9f87, welcome to the Let's Encrypt community. :slightly_smiling_face:

Please read this Certificate Authority Authorization (CAA) - Let's Encrypt and this ISRG CPS v4.4 - Let's Encrypt
and this post as well Soliciting feedback on shortening authorization lifetimes to 7 hours - #27 by aarongable

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

1 Like

I believe it’s capped at 1 minute maximum. If you post your domain I can take a look at what’s wrong with the record.

3 Likes

And there is this online tool https://unboundtest.com/

1 Like

Thank you for your offer to help, I just tried it again and it works. I think the expiration might be a bit more complex than a 1-minute ttl because it was at least 1 day before I tried it after updating my record. In any case whatever cache was set has been cleared and the new URI works so thank you! i will close this request

2 Likes

A common source of delays in record propagation is inside the DNS provider hosting a domain's authoritative records, as larger providers often use many distributed servers that may not all get updated right away.

I am glad to hear your problem has been resolved.

8 Likes