How can I check if my subdomain is blocked for too many requests?

When I try to create SSL certificate from the Digitalocean Control panel (Spaces menu and Settings menu, add certificate use Let’s Encrypt) , the process is pending for almost an hour and the I get error.
I added a CAA record for Let’s encrypt for the subdomain singapore.axeltra.com, because we have Comodo certificate on our domain (axeltra.com).

We get the same error

I had a typo two days ago, but changed it since. We use to get the CAA record error when I tried in console, but now it works fine in console for sf-us.axeltra.com, the only problem is when I try to create it using the Digital Ocean control panel.

I’m trying to create this certificate to use it for CDN.

My domain is: axeltra.com

I ran this command: Used digitalocean add certificate use Let’s Encrypt.

It produced this output: loading for almost an hour and error

My web server is (include version): nginx/1.16.1

The operating system my web server runs on is (include version): Ubuntu 18.04.01 LTS

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Digitalocean’s control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @aatanasovski2,

For each kind of rate limit, the server returns a specific error message directly to the client.

The error message, if applicable, is returned quickly and so it should not cause a long delay.

Unfortunately, only the client—in this case, the DigitalOcean control panel software—receives the error; it’s not available anywhere else. So you would probably need to ask DigitalOcean’s support to look at their logs to find the reason for the problem.

1 Like

Hi schoen,

This is the error we got from Digitalocean, as I said we already have CAA records for letsencrypt for the subdomains and comodo CAA for the domain.

{“err” :“acme: authorization error: 403 urn:acme:error:caa:CAA record for axeltra.com prevents issuance” ,“host”:“letsencryptresumer-1588000800-fnv4v”,“level”:“debug”, “msg”:“failed to validate ownership”}

The Digitalocean support told us the CAA was properly set, are we missing out something else on our DNS configuration or we exceeded rate limit requests?

If this error message is being reported, it means one of two things:

  1. Digital Ocean is trying to issue a certificate for your base domain, or
  2. Digital Ocean is trying to issue a certificate for a subdomain that does not have a CAA record.

Can you ask Digital Ocean whether they can provide the ACME Order URL that corresponds to that error message?

This would provide an unambiguous answer for why the CAA error is happening.

This is the complete information about the log.

{“cert_uuid”:“697f5a2d-f4c4-4c4b-9ec4-5e5eb0fe5f51”,“dns_names”:[“axeltra.com”,“singapore.axeltra.com”],“egid”:0,“eid”:0,“env”:“production”,“err”:“acme: authorization error: 403 urn:acme:error:caa: CAA record for axeltra.com prevents issuance”,“host”:“letsencryptresumer-1588000800-fnv4v”,“level”:“debug”,“msg”:“failed to validate domain ownership”, pid":6,“pname”:"/bin/lets-encrypt-resumer",“request_id”:“5b477dbe-a9f1-498d-8b11-c4546b0f25cc”,“runtime_version”:“go1.14.2”,“time”:“2020-04-27T15:20:13.382351081Z”,“version”:“0c35d3072bd74d8dc259632b3e8d93bf630ef958”}

Hi @aatanasovski2

you want to create a certificate with the domain- and the subdomain name.

If the domain name has a blocking CAA entry, that can’t work.

Create a certificate only with the subdomain name.

Hi Juergen,

Thanks for the help.
Unfortunately I’m creating it from DigitalOcean control panel.
I added one more CAA for letsencrypt for the axeltra.com domain which already has CAA for comodo, and it works now.
I hope having two CAAs for the same domain, won’t make any problems?

1 Like

That’s allowed and possible.

Via “check-your-website”, there are domains with 4 or more different CAA entries with different CAs.

No CAA -> all CAs allowed
Some CAA -> one must allow it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.