Error running auto ssl

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jmdavidson.com

I ran this command: not command i try run auto ssl in one of my domains

It produced this output: 3:10:52 PM Analyzing “jmdavidson.com”’s DCV results …
3:10:53 PM SUCCESS Let’s Encrypt DCV for “cpcontacts.jmdavidson.com” is valid until 7/15/23, 12:14 PM UTC.
SUCCESS “Let’s Encrypt™” DCV OK: cpcontacts.jmdavidson.com
SUCCESS Let’s Encrypt DCV for “cpanel.jmdavidson.com” is valid until 7/28/23, 6:14 PM UTC.
SUCCESS “Let’s Encrypt™” DCV OK: cpanel.jmdavidson.com
SUCCESS Let’s Encrypt DCV for “mail.jmdavidson.com” is valid until 7/22/23, 12:14 AM UTC.
SUCCESS “Let’s Encrypt™” DCV OK: mail.jmdavidson.com
SUCCESS Let’s Encrypt DCV for “jmdavidson.com” is valid until 7/17/23, 12:14 AM UTC.
SUCCESS “Let’s Encrypt™” DCV OK: jmdavidson.com
3:10:55 PM WARN “Let’s Encrypt™” HTTP DCV error (cpcalendars.jmdavidson.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: looking up CAA for cpcalendars.jmdavidson.com: DNSSEC: Bogus)
WARN “Let’s Encrypt™” HTTP DCV error (webdisk.jmdavidson.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: looking up CAA for webdisk.jmdavidson.com: DNSSEC: Bogus)
WARN “Let’s Encrypt™” HTTP DCV error (webmail.jmdavidson.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: looking up CAA for webmail.jmdavidson.com: DNSSEC: Bogus)
WARN “Let’s Encrypt™” HTTP DCV error (www.jmdavidson.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: looking up CAA for www.jmdavidson.com: DNSSEC: Bogus)
WARN AutoSSL failed to create a new certificate order because the server’s Let’s Encrypt account (https://acme-v02.api.letsencrypt.org/acme/acct/1020553397) has reached a rate limit. (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt)) You may contact Let’s Encrypt to request a change to this rate limit.
ERROR “Let’s Encrypt™” general error (webdisk.jmdavidson.com): A rate limit prevents DCV.
ERROR “Let’s Encrypt™” general error (www.jmdavidson.com): A rate limit prevents DCV.
ERROR “Let’s Encrypt™” general error (webmail.jmdavidson.com): A rate limit prevents DCV.
ERROR “Let’s Encrypt™” general error (cpcalendars.jmdavidson.com): A rate limit prevents DCV.
AutoSSL will request a new certificate.
3:10:55 PM The system will attempt to renew the SSL certificate for (jmdavidson.com: jmdavidson.com mail.jmdavidson.com cpanel.jmdavidson.com cpcontacts.jmdavidson.com).
Certificate #1:jmdavidson.com” and 3 other domains
Creating certificate order …
3:10:56 PM WARN Net::ACME2::x::ACME: “https://acme-v02.api.letsencrypt.org/acme/finalize/1020553397/193351539167” indicated an ACME error: 403 Forbidden (403 urn:ietf:params:acme:error:caa (CAA records forbid the CA from issuing) (Error finalizing order :: Rechecking CAA for "cpanel.jmdavidson.com" and 2 more identifiers failed. Refer to sub-problems for more information) (dns/cpanel.jmdavidson.com: 403 urn:ietf:params:acme:error:caa (CAA records forbid the CA from issuing) (Error finalizing order :: While processing CAA for cpanel.jmdavidson.com: DNS problem: looking up CAA for cpanel.jmdavidson.com: DNSSEC: Bogus), dns/mail.jmdavidson.com: 403 urn:ietf:params:acme:error:caa (CAA records forbid the CA from issuing) (Error finalizing order :: While processing CAA for mail.jmdavidson.com: DNS problem: looking up CAA for mail.jmdavidson.com: DNSSEC: Bogus), dns/cpcontacts.jmdavidson.com: 403 urn:ietf:params:acme:error:caa (CAA records forbid the CA from issuing) (Error finalizing order :: While processing CAA for cpcontacts.jmdavidson.com: DNS problem: looking up CAA for cpcontacts.jmdavidson.com: DNSSEC: Bogus))). at /usr/local/cpanel/Cpanel/SSL/Auto/Run/User.pm line 393.

My web server is (include version):

The operating system my web server runs on is (include version): CentOS v7.9.2009 STANDARD kvm

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel whm 110.0.7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

As the error message says, the DNSSEC for your domain is not working properly. CAA records need to be checked in order to issue a certificate, and while it's fine to not have CAA records, the DNS server needs to correctly return that it doesn't have any records rather than returning erroneous data. See the "CAA Errors" section of the Let's Encrypt documention:

This is something that only your DNS provider can fix (or by switching to a DNS provider that knows what they're doing). And if you're using Network Solutions as your DNS provider, many people have found that they don't know how to run a DNS server.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.