Domain is managed but getting ERROR CA forbidden

My domain is: career.cnu.edu

It produced this output:
“careers.cnu.edu” is managed.
ERROR CA forbidden: “careers.cnu.edu”

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): AlmaLinux 8.9

My hosting provider, if applicable, is: LiquidWeb

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM/cPanel 118.0.4

I am unable to get a certificate issued though Let's Encrypt for careers.cnu.edu even though this domain is hosted on a box that I control. I am able to get a SSL issued though Sectigo for the domain but cPanel is discontinuing support for Sectigo. Therefore Let's Encrypt is doing something different to validate the domain than Sectigo is.

The subdomain is pointed to our server via an A record by a client of ours. I have the same set up for other clients and am able to get Let's Encrypt to issue SSLs for those domains, for example epss.morgan.edu

Your domain has a CAA record in place that only allows certs to be issued by Sectigo:

 dan@Dan-MBP-2019  ~  dig caa careers.cnu.edu

; <<>> DiG 9.10.6 <<>> caa careers.cnu.edu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62810
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;careers.cnu.edu.		IN	CAA

;; ANSWER SECTION:
careers.cnu.edu.	300	IN	CAA	0 issue "sectigo.com"

;; Query time: 105 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Mar 19 18:50:48 EDT 2024
;; MSG SIZE  rcvd: 74

You'll need to either remove that, or add another one that allows certs from letsencrypt.org.

5 Likes

Looks like from the Domain's DNS SOA that mailto:dns_admin@cnu.edu is the email to contact
and the name servers are

  1. ns1.cnu.edu.
  2. ns2.cnu.edu.
  3. ns3.cnu.edu.
  4. ns4.cnu.edu.
1 Like

And here is a list of issued certificates crt.sh | careers.cnu.edu

Has there been a change on Internet Providers recently (or some other piece of infrastructure)?

1 Like

The domain name www.career.cnu.edu does not match the presently being served certificate,
but the domain name career.cnu.edu does match.

1 Like

Thanks for the help. Our system is replacing SSLs by Sectigo with those by Let's Encrypt. This is the only domain that we have run into this issue with.

1 Like

Do you understand what you need to do to fix that? If not speak to whoever controls your DNS. See more details here:

5 Likes

Somebody may have manually made that specific CAA record for this subdomain (maybe following some Sectigo documentation; it could be a reasonable choice if you have an organizational policy to use only a specific certificate authority or only those on a specific list). I don't know why nobody would have done the same thing for other subdomains; maybe there was someone especially conscientious involved in setting up that particular part of your infrastructure?

2 Likes

I understand what needs to be done. I have already put in a request for the client to add the appropriate CAA record as they control the DNS for this subdomain.

4 Likes