My domain is: dataone.sensor.nevada.edu
I ran this command: sudo certbot --apache certonly
It produced this output:
Failed authorization procedure. dataone.sensor.nevada.edu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: CAA record for dataone.sensor.nevada.edu prevents issuance
The following errors were reported by the server:
Detail: CAA record for dataone.sensor.nevada.edu prevents issuance
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): apache 2.4.7
The operating system my web server runs on is (include version): Ubuntu 14.04
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Is this a problem with the DNS server (which I don’t control)? Or am I messing something up? It was working fine for more than a year, up until a couple months ago and now I can’t seem to get any new certificates.
It turns out that nevada.edu has a CAA record only allowing issuance by DigiCert. If you have control over the DNS zone for dataone.sensor.nevada.edu, you can add your own CAA record allowing Let’s Encrypt to issue certificates for this domain. This record will take precedence over the nevada.edu record shown below as CAA records are evaluated on FQDNs from left to right, stopping at first result.
# dig nevada.edu CAA
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> nevada.edu CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24039
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;nevada.edu. IN CAA
;; ANSWER SECTION:
nevada.edu. 3660 IN CAA 0 iodef "mailto:email@example.com"
nevada.edu. 3660 IN CAA 0 issue "digicert.com"
;; Query time: 101 msec
;; SERVER: 172.18.10.20#53(172.18.10.20)
;; WHEN: Mon Aug 14 17:00:59 2017
;; MSG SIZE rcvd: 106
The "problem" is here:
nevada.edu has a CAA record and only allows certificates issued by digicert:
$ dig nevada.edu caa +short
0 issue "digicert.com"
0 iodef "mailto:firstname.lastname@example.org"
so Let's Encrypt can't issue a certificate for your domain. If you control the DNS you should be able to create a CAA record for dataone.sensor.nevada.edu where Let's Encrypt is authorized to issue a cert for this domain.
Thank you for the replies.
The issue is that acquiring the certificates from Let’s Encrypt for this domain used to work for more than a year. Is this extra CAA check a recent development by Let’s Encrypt?
No, it's not recent. I'd guess that
nevada.edu added (or changed) the DNS records recently.
Ah ha. Thank you for that.
I’m currently communicating with the DNS admins to add a CAA record for my subdomain. Hopefully I’ll hear back soon.
Thank you all for the replies!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.