I am using cert-manager to provision Let’s Encrypt certificates in my Kubernetes cluster using the ACME DNS Challenge. For some reason the authorization is failing with the following error: DNS problem: query timed out looking up CAA for pp.myplan.on.bluecross.ca
When I run dig pp.myplan.on.bluecross.ca caa I have the following result:
;; QUESTION SECTION:
;pp.myplan.on.bluecross.ca. IN CAA
;; ANSWER SECTION:
pp.myplan.on.bluecross.ca. 3599 IN CNAME bluecross.demo.direct.getbreathe.life.
bluecross.demo.direct.getbreathe.life. 29 IN CNAME o-breathelife-prod2-reblaze-com.breathelife.prod2.reblaze.com.
o-breathelife-prod2-reblaze-com.breathelife.prod2.reblaze.com. 60 IN CAA 0 issue "letsencrypt.org"
A few things to note:
We are generating a certificate for our client, as we do not own the bluecross.ca domain nor operate the DNS for that domain. Hence we have a CNAME in place to our domain (getbreathe.life). We in turn have a CNAME to Reblaze subdomain, which is a Cloud WAF vendor.
Our client is using a DNS server that does not support CAA records.
Reblaze is using the ACME HTTP Challenge to generate certificates on its side and it works.
Hi @JuergenAuer,
Yes, there is a fresh certificate that was generated by Reblaze using the HTTP challenge and which is deployed on the Load balancer of Reblaze since this is fronting our application. But we need to also have a certificate on the upstream server that Reblaze is calling. I want to have certificate on the upstream server to be valid for the same domains in case we need to disable Reblaze and redirect all traffic to our server directly.
Reusing the certificate deployed in Reblaze is doable but would require manual intervention, which goes against the purpose of using Lets Encrypt
You say that the CAA is a temporary problem, is that something that was communicated by Let’s Encrypt or this is just an assumption on your part?
I tried multiple times since yesterday evening and I consistently get this error. I tried again 2 mins ago.
For now I have a generated a partial certificate (only valid for my getbreathe.life subdomain) on my upstream server since it was expiring on Feb 16th. I created another order for a certificate with both domains and I will monitor again in the upcoming days to see if it does eventually resolve correctly.
Recall that because of CAA processing rules when performing CAA lookups that these nameservers need to be able to respond to CAA queries when a CAA record isn't encountered for pp.myplan.on.bluecross.ca or myplan.on.bluecross.ca.