Failed authorization procedure: urn:acme:error:connection

unr-sensor · August 14, 2017, 8:49pm

I ran this command: sudo certbot --apache certonly

It produced this output:
Failed authorization procedure. dataone.sensor.nevada.edu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: CAA record for dataone.sensor.nevada.edu prevents issuance

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: dataone.sensor.nevada.edu
Type: connection
Detail: CAA record for dataone.sensor.nevada.edu prevents issuance

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): apache 2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Is this a problem with the DNS server (which I don’t control)? Or am I messing something up? It was working fine for more than a year, up until a couple months ago and now I can’t seem to get any new certificates.

jared.m · August 14, 2017, 9:03pm

It turns out that nevada.edu has a CAA record only allowing issuance by DigiCert. If you have control over the DNS zone for dataone.sensor.nevada.edu, you can add your own CAA record allowing Let’s Encrypt to issue certificates for this domain. This record will take precedence over the nevada.edu record shown below as CAA records are evaluated on FQDNs from left to right, stopping at first result.

# dig nevada.edu CAA

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> nevada.edu CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24039
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nevada.edu.                    IN      CAA

;; ANSWER SECTION:
nevada.edu.             3660    IN      CAA     0 iodef "mailto:hostmaster@nevada.edu"
nevada.edu.             3660    IN      CAA     0 issue "digicert.com"

;; Query time: 101 msec
;; SERVER: 172.18.10.20#53(172.18.10.20)
;; WHEN: Mon Aug 14 17:00:59 2017
;; MSG SIZE  rcvd: 106

sahsanu · August 14, 2017, 9:03pm

Hello @unr-sensor,

The "problem" is here:

nevada.edu has a CAA record and only allows certificates issued by digicert:

$ dig nevada.edu caa +short
0 issue "digicert.com"
0 iodef "mailto:hostmaster@nevada.edu"

so Let's Encrypt can't issue a certificate for your domain. If you control the DNS you should be able to create a CAA record for dataone.sensor.nevada.edu where Let's Encrypt is authorized to issue a cert for this domain.

Cheers,
sahsanu

unr-sensor · August 14, 2017, 9:25pm

Thank you for the replies.

The issue is that acquiring the certificates from Let’s Encrypt for this domain used to work for more than a year. Is this extra CAA check a recent development by Let’s Encrypt?

mnordhoff · August 14, 2017, 9:38pm

No, it's not recent. I'd guess that nevada.edu added (or changed) the DNS records recently.

unr-sensor · August 14, 2017, 9:40pm

Ah ha. Thank you for that.

I’m currently communicating with the DNS admins to add a CAA record for my subdomain. Hopefully I’ll hear back soon.

Thank you all for the replies!

system · September 13, 2017, 9:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.