My domain is: pp.myplan.on.bluecross.ca
I am using cert-manager to provision Let’s Encrypt certificates in my Kubernetes cluster using the ACME DNS Challenge. For some reason the authorization is failing with the following error:
DNS problem: query timed out looking up CAA for pp.myplan.on.bluecross.ca
When I run
dig pp.myplan.on.bluecross.ca caa I have the following result:
;; QUESTION SECTION: ;pp.myplan.on.bluecross.ca. IN CAA ;; ANSWER SECTION: pp.myplan.on.bluecross.ca. 3599 IN CNAME bluecross.demo.direct.getbreathe.life. bluecross.demo.direct.getbreathe.life. 29 IN CNAME o-breathelife-prod2-reblaze-com.breathelife.prod2.reblaze.com. o-breathelife-prod2-reblaze-com.breathelife.prod2.reblaze.com. 60 IN CAA 0 issue "letsencrypt.org"
A few things to note:
- We are generating a certificate for our client, as we do not own the bluecross.ca domain nor operate the DNS for that domain. Hence we have a CNAME in place to our domain (getbreathe.life). We in turn have a CNAME to Reblaze subdomain, which is a Cloud WAF vendor.
- Our client is using a DNS server that does not support CAA records.
- Reblaze is using the ACME HTTP Challenge to generate certificates on its side and it works.
Any help would be greatly appreciated.