Failing to use accounturi in production

Help
1

I have tried to add accounturi to CAA record of the domain:

dottedmag.eu has CAA record 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/35072636"

However certbot failed to renew the certificate. If I remove accounturi the renewal starts to work again.

I see CAA accounturi attribute support was enabled several days ago: Enabling ACME CAA Account and Method Binding — was it backed off? Or am I using wrong syntax of accounturi parameter?

My domain is: dottedmag.eu

I ran this command: certbot renew --force-renewal --dry-run --cert-name www.dottedmag.net (dottedmag.eu is included in the set of domains to renew).

It produced this output:

Simulating renewal of an existing certificate for dottedmag.eu and 5 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: dottedmag.eu
  Type:   caa
  Detail: CAA record for dottedmag.eu prevents issuance

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

2

Dry run does not require a forced renewal, please remove the --force-renewal option.

7 Likes
3

As dry-run runs though staging server, shouldn't accounturi pointed to staging account to work in dry run?
not sure syntaxes for mulitple uri for acme-caa

8 Likes
4

Probably need to include a second CAA RR for the staging account URI indeed.

8 Likes
5

Exactly, staging needs a different CAA record because it's a different account.

CAA records are "OR", so a different CAA record which allows your staging account should do the trick. Within the same record the conditions are "and".

7 Likes
6

Indeed. I wasn't aware that dry-runs run through staging. Thank you!

7 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.