We are running into on-going CAA validation failures across multiple *.gsa.gov domains trying to be renewed. Below is one example url but we have other using acme.sh getting the same error of urn:ietf:params:acme:error:dns
Back in December was our last valid renewal. DNSSEC is enabled on our root but all tooling shows no issues.
024-02-14 09:09:55.408 -05:00 [ERR] Renewal for [IIS] finance.gsa.gov, (any host) failed, will retry on next run
2024-02-14 14:28:24.733 -05:00 [INF] No command line arguments provided
2024-02-14 14:28:24.858 -05:00 [WRN] Found 1 files older than 120 days in C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
2024-02-14 14:28:24.870 -05:00 [INF] Software version 2.1.15.1008 (release, pluggable, standalone, 64-bit) started
2024-02-14 14:28:24.870 -05:00 [INF] Connecting to "https://acme-v02.api.letsencrypt.org/"...
2024-02-14 14:28:25.822 -05:00 [INF] Scheduled task looks healthy
2024-02-14 14:28:25.822 -05:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2024-02-14 14:28:39.103 -05:00 [INF] Renewing certificate for [IIS] finance.gsa.gov, (any host)
2024-02-14 14:28:40.346 -05:00 [INF] [finance.gsa.gov] Authorizing...
2024-02-14 14:28:40.347 -05:00 [INF] [finance.gsa.gov] Authorizing using http-01 validation (SelfHosting)
2024-02-14 14:29:42.201 -05:00 [ERR] [finance.gsa.gov] Authorization result: invalid
2024-02-14 14:29:42.206 -05:00 [ERR] [finance.gsa.gov] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: server failure at resolver looking up CAA for finance.gsa.gov",
"status": 400
}
2024-02-14 14:29:42.274 -05:00 [ERR] Renewal for [IIS] finance.gsa.gov, (any host) failed, will retry on next run
My web server is (include version): IIS 10
The operating system my web server runs on is (include version): Windows 2019
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): winacme 2.1.15.1008 (we are aware that we can upgrade)
Hi @jwomackgsa, and welcome to the LE community forum
I'm not too familiar with winacme; But the problem doesn't seem related to the ACME client at all: "DNS problem: server failure at resolver looking up CAA for finance.gsa.gov"
Yeah, I'm curious what tooling you're using that shows it working? finance.gsa.gov is a CNAME to finance.gss.gsa.gov, and that name isn't DNSSEC-signed (which should be fine by itself as there's a valid NSEC3 saying so), but one nameserver for that name doesn't seem to respond at all, and the other doesn't think that it's authoritative.
I was only looking at it from the root of gsa.gov where are CAA records are. I am not aware of us ever having CAA records for lower sub-domains and certificate issuance has been working for several years as can been seen by querying crt.sh. Has something recently changed in the CAA validation that would cause this to break?
The authoritative nameserver for gss.gsa.gov namespace is a network load balancer. I don't run any of the network or dns stack. How can I find out more information regarding the non-responsive / authoritative information so I can engage with my DNS team?
You had mentioned in your previous reply about different nameservers not responding or replying as authoritative. I didn't know if you have specific IPs that I could pass along that I could have them investigate. If its related to the gss.gsa.gov name servers, then I will work with them on that.
I sometimes hesitate to recommend it though since all it really gives you is a really-verbose log from Unbound, which is often hard for me to make heads or tails of.
