My domain is: nsrc.vtp.kenet.or.ke and various subdomains. There are actually two A record entries in DNS, one of which is a wildcard:
nsrc.vtp.kenet.or.ke. A 197.136.7.252
*.p.nsrc.vtp.kenet.or.ke. A 197.136.7.252
I am using dehydrated -c. The domains.txt file lists 71 individual domains. For avoidance of doubt: that's 71 different domains using HTTP-01 challenge, and I'm not attempting to get a wildcard certificate.
It produced this output:
...
+ Forcing renew.
+ Checking expire date of existing cert...
+ Valid till Jul 26 19:26:33 2024 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 71 authorizations URLs from the CA
+ Handling authorization for elk.p.nsrc.vtp.kenet.or.ke
+ Found valid authorization for elk.p.nsrc.vtp.kenet.or.ke
... (lots more of these) ...
+ 0 pending challenge(s)
+ Requesting certificate...
+ ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/finalize/1091617847/266269961837 (Status 403)
Details:
HTTP/2 403
server: nginx
date: Sun, 05 May 2024 13:41:33 GMT
content-type: application/problem+json
boulder-requester: 1091617847
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: KBbvukTe41tMXs77iVYIWZMIBOxl6UEUWS8VAJEqTvm3FYdm3Hg
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: Rechecking CAA for \"librenms.campus3.p.nsrc.vtp.kenet.or.ke\" and 69 more identifiers failed. Refer to sub-problems for more information",
"status": 403,
"subproblems": [
...
...
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for oob.host2.campus5.p.nsrc.vtp.kenet.or.ke: DNS problem: server failure at resolver looking up CAA for oob.host2.campus5.p.nsrc.vtp.kenet.or.ke",
"status": 403,
"identifier": {
"type": "dns",
"value": "oob.host2.campus5.p.nsrc.vtp.kenet.or.ke"
}
}
]
}
(Here just showing the last of the failed domains, but they all have the same error).
You'll note that there are 70 failures, versus 71 domains. The one domain which doesn't give an error is the top-level domain itself, nsrc.vtp.kenet.or.ke. All the failing ones are <something>.p.nsrc.vtp.kenet.or.ke
# cat le.json | jq -r '.subproblems[].identifier.value' | wc -l
70
# cat le.json | jq -r '.subproblems[].identifier.value' | grep '\.p\.nsrc\.vtp\.kenet\.or\.ke' | wc -l
70
The previous certificate was fine (it was issued on Apr 27). I recently added two new hostnames to it, which forces a regeneration of the whole certificate. I did this a couple of days ago and it was failing then, and I've tried again daily and it's still failing in the same way today. Hence I don't think it's a transient problem.
The error suggests a problem with DNS. However I don't have any problem resolving from outside:
% dig @8.8.8.8 oob.host2.campus5.p.nsrc.vtp.kenet.or.ke. caa
; <<>> DiG 9.10.6 <<>> @8.8.8.8 oob.host2.campus5.p.nsrc.vtp.kenet.or.ke. caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58979
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;oob.host2.campus5.p.nsrc.vtp.kenet.or.ke. IN CAA
;; AUTHORITY SECTION:
kenet.or.ke. 300 IN SOA ns1.kenet.or.ke. hostmaster.kenet.or.ke. 2024050202 14400 7200 604800 300
i.e. there's no CAA record, which is fine. And ditto if I go direct to the authoritative servers (ns1/ns2/ns3.kenet.or.ke), e.g.
% dig +norec @ns1.kenet.or.ke. oob.host2.campus5.p.nsrc.vtp.kenet.or.ke. caa
; <<>> DiG 9.10.6 <<>> +norec @ns1.kenet.or.ke. oob.host2.campus5.p.nsrc.vtp.kenet.or.ke. caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58992
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oob.host2.campus5.p.nsrc.vtp.kenet.or.ke. IN CAA
;; AUTHORITY SECTION:
kenet.or.ke. 300 IN SOA ns1.kenet.or.ke. hostmaster.kenet.or.ke. 2024050202 14400 7200 604800 300
It works with +tcp too.
Is there possibly some connectivity issue between Letsencrypt servers and this network? Are there logs that can show this? All three nameservers are in AS36914 (which obviously isn't good, but I don't have control over that)
Alternatively, has something changed at Letsencrypt which may be causing these CAA lookups to fail?
Thanks,
Brian.
EDIT: I've now put it back to the original list of 69 domains and attempted a force renew, and I get the same errors. Therefore, adding the extra domains wasn't the underlying cause; something else has changed since April 27th which is preventing LE from checking for the non-existent CAA records.