Certificate stuck in 2021-01-27 11:33 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for \

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.dma.mil
I ran this command:

It produced this output:

I see that the Certificate stuck in 2021-01-27 11:33 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for
Need to understand what's the issue?
The SANs have all validated
Thanks in advance.

I might be corrected by a Let's Encrypt team member here, but I believe the "Error finalizing order :: Rechecking CAA" is a permanent error and causes the order to be invalid.

To get around it, I think you need to recreate the order (however that is done in Akamai).

Hopefully on the second go around, you won't encounter this CAA error.

Edit: actually, the CAA problem does seem occasionally reproducible:

https://unboundtest.com/m/CAA/dma.mil/CI7JBBJA

2 Likes

If that's correct, I think it would be wise for Let's Encrypt to look at improving this error message. "Rechecking" suggests an ongoing action, even if in fact the author intended to refer to a past action which has failed, so it's easy to imagine someone patiently waiting for it to finish "Rechecking" when in fact it already failed.

1 Like

We just did the force early renewal (recreated the order again ) and its back to

CA comments
2021-01-27 15:47 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for \

I think some of your nameservers are also not behaving properly.

One thing to check is the nameservers' general availability and reliability, and also their willingness to provide a valid reply to a CAA query

I understand this confusion indeed. I guess the term "Rechecking" comes from the fact that a CAA record needs to be rechecked after a small period, even when the authorization itself is still valid (cached). This was an incident earlier in Let's Encrypts history, where CAA records weren't checked when there was a valid authz.

So with that in mind, how would Let's Encrypt reword this error message to be more clear?

So as a way around this error message, we created a brand new certificate with all 73 SANs in original certificate that was stuck with this error message. The certificate validated and was issued very quickly, no CAA record issues or any other issues. I then went back to the problem certificate. I cancelled the pending order, then the auto renewal process started since it is one day away from expiration. I then got a correct error message the one of the SANs had a problem with the CAA record. I removed this SAN, then it automatically resubmits. Now I have the error message "2021-01-27 19:14 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for \ (backslash)". This is no longer an urgent matter, but we do want to know if this is a bug or not, and if the only way around it is to create a new certificate entirely like we did.

Fatal error found while rechecking CAA during order finalization?

2 Likes

A few members already pointed out some DNS issues with one of your domains.

We broke up the 73 SANs on the original cert having issues, into several certs and added a few SANs at a time. No problems, the cert was issued quickly. We kept adding more, no problems. Then we just added all 73 at once to a new cert and no issues. This points to a problem with the original cert order to me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.