Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate

organic · March 6, 2021, 3:27pm

Hi everyone,
I can't reach out to our domain for some reason and obtain a new certificate.

Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "www.catch-22.co.nz" and 1 more identifiers failed. Refer to sub-problems for more information

Error on Chrome:

# This site can’t be reached
Check if there is a typo in catch-22.co.nz.
DNS_PROBE_FINISHED_NXDOMAIN

Error when obtaining a new certificate:

organic@desktop:/etc/nginx/conf.d$ sudo certbot --nginx -d catch-22.co.nz -d www.catch-22.co.nz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/catch-22.co.nz-0002.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
An unexpected error occurred:
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "www.catch-22.co.nz" and 1 more identifiers failed. Refer to sub-problems for more information
Please see the logfiles in /var/log/letsencrypt for more details.

My domain is:

catch-22.co.nz

It produced this output:

My web server is (include version):
217.15.151.47

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yes

Nginx file:

organic@desktop:/etc/nginx/conf.d$ cat catch22.conf
server {
        root /var/www/catch-22;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name catch-22.co.nz www.catch-22.co.nz;

        #listen [::]:443 ssl http2 ipv6only=on;
        #listen 443 ssl http2; # managed by Certbot

        client_max_body_size 100M;

        location / {
                #try_files $uri $uri/ =404;
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
                fastcgi_connect_timeout 300s;
                fastcgi_read_timeout 300s;
                fastcgi_send_timeout 300s;
        }

        location ~ /\.ht {
                deny all;
        }

        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt { log_not_found off; access_log off; allow all; }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
            expires max;
            log_not_found off;
        }

	location ~ ^/\.user\.ini {
		deny all;
	}

    #ssl_certificate /etc/letsencrypt/live/catch-22.co.nz/fullchain.pem; # managed by Certbot
    #ssl_certificate_key /etc/letsencrypt/live/catch-22.co.nz/privkey.pem; # managed by Certbot
    #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    #ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/catch-22.co.nz-0002/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/catch-22.co.nz-0002/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = www.catch-22.co.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = catch-22.co.nz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        server_name catch-22.co.nz www.catch-22.co.nz;
    listen 80;
    return 404; # managed by Certbot

}

Webslice domain settings:

Osiris · March 6, 2021, 3:41pm

The CAA error aside, why would you forcily try to re-issue your certificate? Certbot says you already have the certificate..

organic · March 6, 2021, 3:54pm

Only for checking purposes

Osiris · March 6, 2021, 3:58pm

For checking purposes, you should use --dry-run and NOT hog the Let's Encrypt production servers, which only adds load to them.

organic · March 6, 2021, 3:58pm

Renewing works fine
UPD: reinstalling.

organic@desktop:/etc/nginx/conf.d$ sudo certbot --nginx -d catch-22.co.nz -d www.catch-22.co.nz
[sudo] password for organic:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/catch-22.co.nz-0002.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/conf.d/catch22.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/catch22.conf
nginx: [warn] conflicting server name "jenkins.thehybrid.xyz" on 0.0.0.0:80, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/catch22.conf
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/catch22.conf
nginx: [warn] conflicting server name "jenkins.thehybrid.xyz" on 0.0.0.0:80, ignored

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://catch-22.co.nz and
https://www.catch-22.co.nz

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=catch-22.co.nz
https://www.ssllabs.com/ssltest/analyze.html?d=www.catch-22.co.nz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/catch-22.co.nz-0002/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/catch-22.co.nz-0002/privkey.pem
   Your cert will expire on 2021-05-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Osiris · March 6, 2021, 3:59pm

That's not renewing, that's re-installing an already locally existing certificate.

Please try certbot renew --dry-run if you want to test renewal. That tests renewal with the staging server and doesn't use cached authorizations, so you can actually check the current situation.

Also, your domain doesn't work at all: www.catch-22.co.nz | DNSViz

organic · March 6, 2021, 4:01pm

Oh right. Good point, mate.

organic · March 6, 2021, 4:04pm

Thanks for the correction. Yeah, reinstalling indeed - my bad

organic · March 6, 2021, 4:08pm

Thank you, passing this issue to our domain provider then

organic · March 8, 2021, 11:41am

We've received a reply to our ticket and those actions are completely solved the issue.
Thanks again for your help, @Osiris

Just a quick update here to let you know we have identified an issue with the DNS settings and this is why the records were not propagating.

You had an invalid rule as per the below:

```
mail    14400   IN  CNAME   catch-22.co.nz.
```

I replaced it with the equivalent following rule:

```
mail    3600    IN  A   217.15.151.47
```

DNS settings are propagating now.
Let us know if we can assist further.

system · April 7, 2021, 11:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.