Error finalizing order Rechecking CAA failed. Refer to sub-problems for more information

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
captweb.captainct.org
geoserver1.captainct.org
geoserver2.captainct.org
geoserver3.captainct.org
geoserver4.captainct.org

I ran this command:
using “Certify The Web” latest version
It produced this output:
This is what is in the log file:
2020-03-03 13:16:44.339 -05:00 [INF] Order authorizations already completed.
2020-03-03 13:16:44.339 -05:00 [INF] Requesting Certificate via Let’s Encrypt
2020-03-03 13:17:16.309 -05:00 [ERR] Failed to finalize certificate order: Error finalizing order :: Rechecking CAA for “geoserver2.captainct.org” and 4 more identifiers failed. Refer to sub-problems for more information
2020-03-03 13:17:17.340 -05:00 [INF] The Let’s Encrypt service did not issue a valid certificate in the time allowed. Failed to finalize certificate order: Error finalizing order :: Rechecking CAA for “geoserver2.captainct.org” and 4 more identifiers failed. Refer to sub-problems for more information
2020-03-03 13:17:17.341 -05:00 [INF] The Let’s Encrypt service did not issue a valid certificate in the time allowed. Failed to finalize certificate order: Error finalizing order :: Rechecking CAA for “geoserver2.captainct.org” and 4 more identifiers failed. Refer to sub-problems for more information

My web server is (include version):
IIS 8.0.9200.16384
The operating system my web server runs on is (include version):
WIndows Server 2012
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
CertifyTheWeb version 4.1.7.0

Any help greatly appreciated, I’ve tried multiple times today, and my certs will be revoked tomorrow as per email from you folks. Thanks! Not sure how to diagnose further. I don’t know where to find the sub-problem list…

1 Like

This should be located in CTW’s let’s Encrypt log (I’m not sure if they have it or not, but they should)
Tagging @webprofusion for more information.

I just finally tried with just one domain name. Now there are no “sub-problems”. Here is the error:

DNS problem: query timed out looking up CAA for captweb.captainct.org

I’m thinking this is a DNS issue and not a LetsEncrypt or Certify the Web issue at all.

What domain/ip or ip range will the LetsEncrypt DNS queries be coming from? I’m thinking the problem is at the DNS server, sounds like, ignoring the requests for some reason. I’d like to tell them to whitelist your service. Where would I find such info, do you have it?

Thanks for all your help!

1 Like

Well, I don’t know what changed, but finally after trying all day, my cert has renewed!
Thanks for all your help, if I figure out what changed, I’ll post it here. I did speak with the person responsible for the DNS, but I don’t know if they changed something. I’m guessing they did…

EDIT: Nothing changed, I think LetsEncrypt was just too busy and timing out all day doing all the new SAA DNS queries for each cert request. It was only an issue because LetsEncrypt gave so many users just 24hr notice that our certs were about to be revoked.

3 Likes