Issues with certbot looking up CAA record

andrewreaganm · September 19, 2019, 11:22pm

I ran this command: sudo certbot certonly --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: centralus.mag-i-c.com
2: www.centralus.mag-i-c.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for centralus.mag-i-c.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. centralus.mag-i-c.com (http-01): urn:ietf:params:acme:error:caa :: CAA record for centralus.mag-i-c.com prevents issuance

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: centralus.mag-i-c.com
   Type:   None
   Detail: CAA record for centralus.mag-i-c.com prevents issuance


**IMPORTANT NOTES:**

- The following errors were reported by the server:

Domain: centralus.mag-i-c.com

Type: None

Detail: CAA record for centralus.mag-i-c.com prevents issuance

My web server is: with Nginx 1.14.0

The operating system my web server runs on is: Ubuntu 18.04 LTS

My hosting provider, if applicable, is: Google Compute Engine

I can login to a root shell on my machine: Yes

I’m using a control panel to manage my site: No

The version of my client is: 0.31.0

I am having issues with certbot getting a certificate for the particular domain mentioned above. I have CAA records for both of the domains that I am using on both servers, and the setup should be exactly the same on both servers and both domains.

When I try and get a certificate for the centralus.mag-i-c.com server, I get a CAA error even though I have letsencrypt.com set as the only CAA for that domain:

webserver:~$ dig centralus.mag-i-c.com CAA

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> centralus.mag-i-c.com CAA

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24068

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;centralus.mag-i-c.com. IN CAA

;; ANSWER SECTION:

centralus.mag-i-c.com. 2669 IN CAA 0 issue "letsencrypt.com"

;; Query time: 0 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Thu Sep 19 23:18:51 UTC 2019

;; MSG SIZE rcvd: 84

I am using Google Domains. Do you all have any guidance on why this might be happening?

Thanks in advance!

JamesLE · September 19, 2019, 11:23pm

Our domain to use in CAA records is letsencrypt.org, not letsencrypt.com.

andrewreaganm · September 20, 2019, 1:36am

Wow, that was a dumb mistake on my part. I must have requested the certificate for the other server before the CAA record was live.

Thank you so much James!

system · October 20, 2019, 1:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.