First time using Let's Encrypt, error with DNS CAA

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:support.janacorp.com

I ran this command:Beyond Trust web - Request New Certificate

It produced this output: DNS problem: looking up CAA for support.janacorp.com DNSSEC:Bogus

My web server is (include version): Beyond Trust Appliance

The operating system my web server runs on is (include version): Red Hat Enterprise Linux 7

My hosting provider, if applicable, is: networksolutions.com

I can login to a root shell on my machine (yes or no, or I don't know):no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have contacts Firewall, Application and DNS Hosting all settings are correct, i just spoke with Network Solutions and stated i need to reach out to Let's Encrypt to resolve the DNS error.

quote
Here you will have to contact lets encrypt and get these records to be added here and we will update them for you here

your nameserver fails when a subdomain exist but doesn't have that type of record it should reply noerror but this server instead replies nxdomain: try adding explict CAA record on that subdomain to walk around this bug.

3 Likes

Your domain has DNSSEC configured, but when we went to query for a CAA record, we got an invalid response.

You can see a similar error using Gogole's public DNS resolver here: Query: support.janacorp.com - Google Public DNS

You will have to figure out what's wrong with your DNS server to be able to use Let's Encrypt. As orangepizza posted while I wrote this, adding an explicit CAA record might fix it, if the problem is only with non-existant records.

4 Likes

It's been a recurring theme here that Network Solutions doesn't seem to know how to actually run a DNS server. Here's a thread from last year complaining about it, though if you search the forums you can find others.

Your options seem to be to change to a different DNS provider (one can use a different DNS provider than your web hosting provider, if you're otherwise happy with Network Solutions), to disable DNSSEC (since Network Solutions doesn't seem to know how to implement it), or to keep bashing your head against their tech support and hope that they eventually get a clue.

4 Likes

i saw that thread and i referenced it but got the go to talk lets encrypt. I will disable DNSSEC for now. Thank you.

2 Likes

after disabled i am getting green. now to wait for certificate request to refresh. Thank you!
All OK!

OK

No issues were found with support.janacorp.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

2 Likes