DNS problem: query timed out looking up CAA

My domain is: sst-institute.net

I ran this command: sudo /opt/letsencrypt/letsencrypt-auto renew
(this has worked in the past)

It produced this output:
Processing /etc/letsencrypt/renewal/dev.sst-institute.net.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sst-institute.net
tls-sni-01 challenge for dev.sst-institute.net
tls-sni-01 challenge for www.sst-institute.net
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/dev.sst-institute.net.conf produced an unexpected error: Failed authorization procedure. sst-institute.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for sst-institute.net, dev.sst-institute.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for dev.sst-institute.net, www.sst-institute.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for www.sst-institute.net. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/playsas.net/fullchain.pem (failure)
/etc/letsencrypt/live/dev.sst-institute.net/fullchain.pem (failure)

My operating system is (include version):Ubuntu 14.04.4 LTS

My web server is (include version):Apache/2.4.7

My hosting provider, if applicable, is:AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

These DNS reports on sst-institute.net seem to indicate that things are okay:

https://intodns.com/sst-institute.net
http://dnsviz.net/d/sst-institute.net/dnssec/

Your DNS is mostly okay but not okay enough. :grimacing: The types of DNS queries those report sites try all work. Let's Encrypt also makes CAA queries, which fail.

There was recently another discussion about this problem with your DNS provider:

You'll need to contact Netregistry about fixing it, or switch to a different DNS host.

2 Likes

Thanks for your reply.

That all makes sense now. The fact that it’s not answering CAA queries at all is causing the problem for the renewal script.

We’ll find another way around this.

Thanks again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.