I cannot renew Certificate

chit164 · March 17, 2023, 2:12am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:nblp.moph.go.th

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: nblp.moph.go.th

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nblp.moph.go.th
Waiting for verification...
Challenge failed for domain nblp.moph.go.th
http-01 challenge for nblp.moph.go.th
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: nblp.moph.go.th
Type: caa
Detail: CAA record for nblp.moph.go.th prevents issuance
root@096241-U:~#
My web server is (include version): apache2 On Ubuntu20.04

The operating system my web server runs on is (include version): Ubuntu20.04

My hosting provider, if applicable, is: Linux

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.4

Bruce5051 · March 17, 2023, 2:19am

Hello @chit164, welcome to the Let's Encrypt community.

You need to add letsencrypt.org to your DNS CAA record or remove the CAA record altogether.

Using Let's Debug yields results https://letsdebug.net/nblp.moph.go.th/1410461

CAAIssuanceNotAllowed
Fatal
No CAA record on moph.go.th (wildcard=false) contains the issuance domain "letsencrypt.org". You must either add an additional record to include "letsencrypt.org" or remove every existing CAA record. A list of the CAA records are provided in the details.
moph.go.th. 0 IN CAA 0 issue "sectigo.com"
moph.go.th. 0 IN CAA 0 issue "godaddy.com"
moph.go.th. 0 IN CAA 0 issue "globalsign.com"
moph.go.th. 0 IN CAA 0 issue "digicert.com"

Your DNS CAA record contains https://unboundtest.com/m/CAA/moph.go.th/HTUYAL73

Query results for CAA moph.go.th

Response:
;; opcode: QUERY, status: NOERROR, id: 51109
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;moph.go.th.	IN	 CAA

;; ANSWER SECTION:
moph.go.th.	0	IN	CAA	0 issuewild "sectigo.com"
moph.go.th.	0	IN	CAA	0 issue "globalsign.com"
moph.go.th.	0	IN	CAA	0 issuewild "globalsign.com"
moph.go.th.	0	IN	CAA	0 issue "godaddy.com"
moph.go.th.	0	IN	CAA	0 issue "digicert.com"
moph.go.th.	0	IN	CAA	0 issuewild "digicert.com"
moph.go.th.	0	IN	CAA	0 issue "sectigo.com"

----- Unbound logs -----
Mar 17 02:16:19 unbound[741295:0] notice: init module 0: validator

Bruce5051 · March 17, 2023, 2:40am

And also see this Certificate Authority Authorization (CAA) - Let's Encrypt

chit164 · March 17, 2023, 2:40am

Thanks a lot!

system · April 16, 2023, 2:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.