Certificate Issue status

Hi Let's Encrypt Team,

We did add a new SAN “www-stg.hillrom.lat” to the existing certificate [Common Name (CN): www.hillrom.com, Slot: 108009] and customer validated the same using TXT record. However, the certificate got stuck and below were the comments mentioned.

2021-09-14 20:36 GMT Let’s Encrypt: Error finalizing order :: While processing CAA for www.hillrom.biz: DNS problem: SERVFAIL looking up CAA for hillrom.biz - the domain\u0027s nameservers may be malfunctioning

Could you please let us know when can the order be finalized.

Thanks in advance!

3 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

When the problems with the nameservers for hillrom.biz are addressed. I don't see anything evident in my initial tests though. :thinking:

https://dnsviz.net/d/hillrom.biz/dnssec/

https://toolbox.googleapps.com/apps/dig/#CAA/

2 Likes

Hi @Chandana, welcome to the LE community forum :slight_smile:

There is no IP returned for "www.hillrom.biz".
As such, you can't validate the certificate request via HTTP.

2 Likes

But that wouldn't result in CAA errors, right?

3 Likes

All domains are being handled by the same nameservers.
Thus all requests are coming from the same validating IP to the same nameserver IPs.
These simultaneous and cumulative accesses might exceed certain IPS thresholds and possibly some requests might be dropped.
[this is totally speculative - but may hold some truth]

2 Likes

:thinking:

However, I do not see hillrom.biz listed among the 66 domains shown on the GoDaddy cert. It is listed in both LE intermediate certs.
Cookies for hillrom.biz are being sent via http and not https.

It appears some housekeeping is in order.
Per https://check-your-website.server-daten.de/?q=hillrom.biz
Fatal: All checks of http://hillrom.biz/.well-known/acme-challenge/random-filename have a redirect. The destination doesn't have the random filename.
You have to have a working http domain to receive and serve the LE challenge - and get added to the cert - before being redirected to another domain.

The IP address for http://hillrom.biz domain times out.
Check for a firewall blocking Port 80 hillrom.biz.

Although you do have 2 LE certs - the latest one with 73 entries and the older one with 72 - your domains are using your GoDaddy cert. For the time being, is there anything from stopping you from adding hillrom.biz to your GoDaddy cert?

As per your OP, the www-stg.hillrom.lat is currently serving your GoDaddy cert.
None of your domains/servers are using either of the 2 current LE certs that have been issued.

3 Likes