Issues with certbot looking up CAA record

My domain is: centralus.mag-i-c.com

I ran this command: sudo certbot certonly --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: centralus.mag-i-c.com
2: www.centralus.mag-i-c.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for centralus.mag-i-c.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. centralus.mag-i-c.com (http-01): urn:ietf:params:acme:error:caa :: CAA record for centralus.mag-i-c.com prevents issuance

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: centralus.mag-i-c.com
   Type:   None
   Detail: CAA record for centralus.mag-i-c.com prevents issuance


**IMPORTANT NOTES:**

- The following errors were reported by the server:

Domain: centralus.mag-i-c.com

Type: None

Detail: CAA record for centralus.mag-i-c.com prevents issuance

My web server is: with Nginx 1.14.0

The operating system my web server runs on is: Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Google Compute Engine

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: 0.31.0

I am having issues with certbot getting a certificate for the particular domain mentioned above. I have CAA records for both of the domains that I am using on both servers, and the setup should be exactly the same on both servers and both domains.

When I try and get a certificate for the centralus.mag-i-c.com server, I get a CAA error even though I have letsencrypt.com set as the only CAA for that domain:

webserver:~$ dig centralus.mag-i-c.com CAA

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> centralus.mag-i-c.com CAA

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24068

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;centralus.mag-i-c.com. IN CAA

;; ANSWER SECTION:

centralus.mag-i-c.com. 2669 IN CAA 0 issue "letsencrypt.com"

;; Query time: 0 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Thu Sep 19 23:18:51 UTC 2019

;; MSG SIZE rcvd: 84

I am using Google Domains. Do you all have any guidance on why this might be happening?

Thanks in advance!

Our domain to use in CAA records is letsencrypt.org, not letsencrypt.com.

Wow, that was a dumb mistake on my part. I must have requested the certificate for the other server before the CAA record was live.

Thank you so much James!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.