Cert renew failed - CAA failure

agiorg · December 6, 2022, 8:20am

hello,

trying to renew my certificate, I get this:

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/crm.bellesuisse.ch/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: crm.bellesuisse.ch
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for crm.bellesuisse.ch
- the domain's nameservers may be malfunctioning

I googled a bit, many say to wait because it could be a temporary dns fail, but it doesn't seem so... any hint?

Thanks a lot

rg305 · December 6, 2022, 8:25am

The hint is "CAA".
Is that properly configured/operating?

_az · December 6, 2022, 8:30am

In this case, it looks like a permanent error.

From what I can tell, it looks like your registrar's nameservers (ns1.register.it, ns2.register.it) are sending an invalid DNSSEC signature when querying for your domain's CAA record.

That's a lot of jargon but I think one of the following might work:

Creating a CAA record for your domain could work around the issue by avoiding having an NSEC response
Disabling DNSSEC for your domain at your registrar, which will avoid signature validation
Contacting whoever runs register.it and asking them to rehash (create DNSSEC signatures) for your zone.

system · January 5, 2023, 8:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.