Error processing CAA for domain

hi affected is mailman.dot.asia

1 Like

Hi @belikewata

checking that domain - https://check-your-website.server-daten.de/?q=mailman.asia

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mailman.asia Name Error yes 1 0
www.mailman.asia Name Error yes 1 0

Are you the domain owner?

Looks like the domain isn’t registered.

It’s mailman.dot.asia…
The dot is actually a name here.

3 Likes

Oh, thanks, didn’t know!

believe you have the host wrong.
I have the the SSL cert on subdomain: mailman.dot.asia

1 Like

Checking that domain - https://check-your-website.server-daten.de/?q=mailman.dot.asia

X Fatal error: Nameserver doesn’t support TCP connection: ns1.asia: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns1.asia / 52.72.246.207: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns2.asia: Timeout

Your name servers are buggy.

But Unboundtest doesn’t report an error.

What’s the exact error message? (which domain name has a problem)

Perhaps try it again one time.

Just tried again.
I’m running (am I running it correctly?):
certbot certonly --force-renewal --staging --dry-run -d mailman.dot.asia

Getting this response:
An unexpected error occurred:
Error finalizing order :: While processing CAA for mailman.dot.asia: DNS problem: query timed out looking up CAA for mailman.dot.asia

Prior to today, I run using cerbot certonly --manual --staging --dry-run and didn’t have problems until today

It seems like your DNS server might have some issues.
You might need to try again after some time or contact your DNS hosting provider.

Thank you

Thanks I will try again later.

A quick test indicates that your domain is queriable from our servers. It might’ve been a temporary issue with your server. I’d give it another try soon.

2 Likes

I’m still getting the same results:

An unexpected error occurred:
Error finalizing order :: While processing CAA for mailman.dot.asia: DNS problem: query timed out looking up CAA for mailman.dot.asia

I’ve even updated DNS and added CAA records which digs correctly:
; <<>> DiG 9.8.3-P1 <<>> dot.asia type257

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16796

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;dot.asia. IN TYPE257

;; ANSWER SECTION:

dot.asia. 21599 IN TYPE257 # 22 000569737375656C657473656E63727970742E6F7267
dot.asia. 21599 IN TYPE257 # 18 000569737375657365637469676F2E636F6D
dot.asia. 21599 IN TYPE257 # 18 00056973737565676F64616464792E636F6D
(these are CAA whitelists for godaddy, letsencrypt, and sectigo as allowed CAs)

I’m at a lost.

It’s failing to look up mailman.dot.asia's CAA records, not dot.asia's. (That might also be failing, though; it only reports one error.)

I have no idea why it’s failing, though – it works for me and unboundtest.com.

hmmm… I read that CAA for root (dot.asia) domains will cascade down to subdomains (mailman.dot.asia) and we only need to set records for root.

That’s correct – but checking by the CA cascades up.

mailman.dot.asia can have CAA records. If it doesn’t, Let’s Encrypt will use dot.asia's CAA records (if it has any) (and the same with asia itself). But Let’s Encrypt has to be able to successfully do a CAA query for mailman.dot.asia in order to find out which it is.

1 Like

oh I see. Thanks for the insight. I will add a CAA for mailman.dot.asia and try again.

To be clear:

There is no requirement that CAA records exist.

The requirement is that either they exist or the DNS servers properly determine that they don’t exist.

Adding records might not fix the problem, whatever it is.

2 Likes

You may use a temporary fix.

Current: mailman.dot.asia -> CNAME jerry.dot.asia


First step: Remove the CNAME, add an A-record

mailman.dot.asia -> ip of jerry.dot.asia

Second step: Add a CAA

mailman.dot.asia


Then try to create a certificate.

2 Likes

This did the trick. So it appears the CAA query could not get through via CNAME for some reason.
Dry run renewal on staging successful,
Live renewal successful!

Thanks @JuergenAuer and everyone here for your input :slight_smile:

2 Likes

Ah, happy to read that this “trick” has worked. Thanks for reporting back :+1:

Normally, both versions should work.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.