Error processing CAA for domain

belikewata · March 3, 2020, 6:51pm

I only received this notice 11pm Mar 3rd, 2020. I’m trying my best to force renew my affected certs but I’m getting a DNS error?

An unexpected error occurred:
Error finalizing order :: While processing CAA for example.com: DNS problem: query timed out looking up CAA for example.com

My domain is correctly in DNS (has been all along) and I’m able to access it. SSL checkers can still validate the existing cert that was only renewed under 10 days ago. Is this problem from my end or at LetsEncrypt?

stevenzhu · March 3, 2020, 7:07pm

Please share us your domain name (and the hostnames)
There's no way any people can know what's going on unless you share us some information.

Thank you

Phil · March 3, 2020, 7:07pm

Hi @belikewata,

Welcome to the community forum!

Can you please post your domain so we can better assist you?

belikewata · March 3, 2020, 7:08pm

hi affected is mailman.dot.asia

JuergenAuer · March 3, 2020, 7:11pm

Hi @belikewata

checking that domain - mailman.asia - Make your website better - DNS, redirects, mixed content, certificates

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
mailman.asia		Name Error	yes	1	0
www.mailman.asia		Name Error	yes	1	0

Are you the domain owner?

Looks like the domain isn't registered.

stevenzhu · March 3, 2020, 7:14pm

It's mailman.dot.asia...
The dot is actually a name here.

JuergenAuer · March 3, 2020, 7:14pm

Oh, thanks, didn't know!

belikewata · March 3, 2020, 7:15pm

believe you have the host wrong.
I have the the SSL cert on subdomain: mailman.dot.asia

JuergenAuer · March 3, 2020, 7:31pm

Checking that domain - https://check-your-website.server-daten.de/?q=mailman.dot.asia

X	Fatal error: Nameserver doesn’t support TCP connection: ns1.asia: Timeout
X	Fatal error: Nameserver doesn’t support TCP connection: ns1.asia / 52.72.246.207: Timeout
X	Fatal error: Nameserver doesn’t support TCP connection: ns2.asia: Timeout

Your name servers are buggy.

But Unboundtest doesn’t report an error.

What’s the exact error message? (which domain name has a problem)

Perhaps try it again one time.

belikewata · March 3, 2020, 7:43pm

Just tried again.
I’m running (am I running it correctly?):
certbot certonly --force-renewal --staging --dry-run -d mailman.dot.asia

Getting this response:
An unexpected error occurred:
Error finalizing order :: While processing CAA for mailman.dot.asia: DNS problem: query timed out looking up CAA for mailman.dot.asia

Prior to today, I run using cerbot certonly --manual --staging --dry-run and didn’t have problems until today

stevenzhu · March 3, 2020, 7:55pm

It seems like your DNS server might have some issues.
You might need to try again after some time or contact your DNS hosting provider.

Thank you

belikewata · March 3, 2020, 8:03pm

Thanks I will try again later.

yuriks · March 3, 2020, 8:21pm

A quick test indicates that your domain is queriable from our servers. It might’ve been a temporary issue with your server. I’d give it another try soon.

belikewata · March 4, 2020, 10:19am

I’m still getting the same results:

An unexpected error occurred:
Error finalizing order :: While processing CAA for mailman.dot.asia: DNS problem: query timed out looking up CAA for mailman.dot.asia

I’ve even updated DNS and added CAA records which digs correctly:
; <<>> DiG 9.8.3-P1 <<>> dot.asia type257

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16796

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;dot.asia. IN TYPE257

;; ANSWER SECTION:

dot.asia. 21599 IN TYPE257 # 22 000569737375656C657473656E63727970742E6F7267
dot.asia. 21599 IN TYPE257 # 18 000569737375657365637469676F2E636F6D
dot.asia. 21599 IN TYPE257 # 18 00056973737565676F64616464792E636F6D
(these are CAA whitelists for godaddy, letsencrypt, and sectigo as allowed CAs)

I’m at a lost.

mnordhoff · March 4, 2020, 11:12am

It’s failing to look up mailman.dot.asia's CAA records, not dot.asia's. (That might also be failing, though; it only reports one error.)

I have no idea why it’s failing, though – it works for me and unboundtest.com.

belikewata · March 4, 2020, 11:16am

hmmm… I read that CAA for root (dot.asia) domains will cascade down to subdomains (mailman.dot.asia) and we only need to set records for root.

mnordhoff · March 4, 2020, 11:18am

That’s correct – but checking by the CA cascades up.

mailman.dot.asia can have CAA records. If it doesn’t, Let’s Encrypt will use dot.asia's CAA records (if it has any) (and the same with asia itself). But Let’s Encrypt has to be able to successfully do a CAA query for mailman.dot.asia in order to find out which it is.

belikewata · March 4, 2020, 11:20am

oh I see. Thanks for the insight. I will add a CAA for mailman.dot.asia and try again.

mnordhoff · March 4, 2020, 11:41am

To be clear:

There is no requirement that CAA records exist.

The requirement is that either they exist or the DNS servers properly determine that they don’t exist.

Adding records might not fix the problem, whatever it is.

JuergenAuer · March 4, 2020, 2:22pm

You may use a temporary fix.

Current: mailman.dot.asia -> CNAME jerry.dot.asia

First step: Remove the CNAME, add an A-record

mailman.dot.asia -> ip of jerry.dot.asia

Second step: Add a CAA

mailman.dot.asia

Then try to create a certificate.