Failed because of query timed out looking up CAA

Hi guys,
I have faced the issue “Failed authorization procedure. DNS problem: query timed out looking up CAA”. I did look up in the forum & found some similar threads but they didn’t deliver the completed solutions.

My problem is when I were running:
sudo letsencrypt --apache -d www.hqwealth.com.au -d hqwealth.com.au -d hqwealth.aces.dover.com.au

After a bit, it returned

Failed authorization procedure. www.hqwealth.com.au (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: query timed out looking up CAA for www.hqwealth.com.au

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.hqwealth.com.au
    Type: connection
    Detail: DNS problem: query timed out looking up CAA for
    www.hqwealth.com.au

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I did run that command for many sites connecting to our sub-sites & succeeded; then faced this issue with about 5 sites which have different domain’s providers.
Someones said that this issue is related to domain’s providers since they don’t response properly but there are not yet completed solutions to follow. Would you like to help me on this? Many thanks!

Your title and the start of your text suggest you have one issue, but the error text you reproduced is related to a quite different issue. Is it the case that you’ve tried to guess what is wrong, or do you have error text related to the problem mentioned in the title?

Hi @tialaramex, I have modified the log of errors as above, there are couple of failures related to other domains then I pasted the wrong case. The hqwealth.com.au above is the one of CAA. Thank you

I see. Unfortunately there is no easy answer for you with the CAA timeout. Your DNS server is responsible for correctly answering this type of query, if the server is some software you have purchased then you should ask the vendor for a fix or else consider replacing it. If your DNS is provided as a service by another supplier you would need to tell them it’s faulty, that it must be modified to correctly answer CAA queries, not doing so is forbidden. Hopefully the supplier can rectify the problem quickly, especially if they have other similar customers complaining about this.

1 Like

It’s NetRegistry. Customers have probably been reporting it since 2015. One more is unlikely to make a difference, though it won’t hurt.

https://community.letsencrypt.org/search?q=netregistry

@huuvan20 At this point, your best option is to switch from NetRegistry/EzyReg to a DNS provider that doesn’t take years to solve simple, critical standards compliance issues.

Your other option is to find a CA that is more lenient with CAA DNS errors. (Or more lucky with NetRegistry.)

You don’t have to change hosting companies, or domain registrars (unless they don’t allow you control over which DNS provider is used), just DNS providers.

4 Likes

@tialaramex @mnordhoff I’m trying to contact the DNS provider, the NetRegistry, to check if they could handle to fix the response time issue. Changing the DNS provider is also considered. Thank you much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.