LE is not issuing cert for unknown reason

ShahriarNK · May 9, 2023, 9:20am

Hi,

Hope you are doing well!

We are trying to request a LE (Let's Encrypt) cert via Akamai.

This cert has common name (CN): tst.carquote.nrma.com.au

Initially, this cert request had 68 SANs but we received the following error, "Let’s Encrypt: Error finalizing order :: Rechecking CAA for ", from LE so we thought may be should reduce the number of SANs before the request is sent to LE.

Hence, we cleaned up the cert request to include only 2 additional SANs (9 SANs were already present in the cert which was already deployed on Akamai). This request was approved by LE, cert was received by and deployed on Akamai. So, now the tst.carquote.nrma.com.au has 11 SANs and deployed on Akamai.

Next, because we need to have 68 SANs on the cert, we added 5 new SANs, sent the request to LE but this time received the same error as above, i.e., "Let’s Encrypt: Error finalizing order :: Rechecking CAA for ".

So, we tried with 3 SANs but still same error.

Then we tried with 2 new SANs, that went through and now we have 13 SANs in the cert deployed on Akamai.

However, since then we are having difficulty adding more SANs to the cert; we can't even add 1 SAN to the cert.

The error in the Akamai portal is always the same, i.e., "Let’s Encrypt: Error finalizing order :: Rechecking CAA for ".

When we looked for this error in the Akamai log, we found the following:
2023-05-09T06:17:18,589
LeErrorReport(statusCode=403, type=urn:ietf:params:acme:error:caa, detail=Error finalizing order :: Rechecking CAA for "tst.carquote.nrma.com.au"

The last SAN we tried to add was:
trg.landlordquote.nrma.com.au

Do note that in every single instance, the domain (ownership) validation has always passed so we are confident that this isn't happening because we haven't met the DV cert requirements, rather, its something technical and at this point it seems to be at the LE end.

Hence, we would really appreciate your assistance in troubleshooting this issue.

If there is any additional information you require from our side, just let us know.

Thanks in advance for your help!

Have a great day ahead!

_az · May 9, 2023, 12:12pm

Rechecking of CAA records happens when Let's Encrypt is reusing valid authorizations which were originally obtained at a prior time (e.g. on a previous certificate order).

If you have a 50 SANs on a certificate, and 1 day later, you want to issue another certificate with an additional SAN, I think this would probably rapidly trigger a few hundred DNS CAA rechecking queries during the order finalization step, which might result in a DNS failure due to the load.

It doesn't sound like you are doing anything especially wrong and I would expect that this use case is supposed to succeed, especially using Akamai's nameservers. I think it would be helpful if @lestaff were able to take a look at this one and offer any advice.

mcpherrinm · May 9, 2023, 5:05pm

I have done a quick look, and I am seeing SERVFAILs from DNS in both initial CAA and CAA rechecking for the certs from the mentioned domain. I'll respond again once I have a bit more info on what the failures are.

ShahriarNK · May 10, 2023, 1:19am

Hi Matthew,

Thanks very much for looking into this issue for us - we will eagerly wait for your update : -)

Also, just incase you find it useful, around 7PM UTC on 9th May, the pending cert with 14 SANs was released by LE and successfully deployed on Akamai. However, when tried to add another 9 SANs to the cert (bringing the total up to 23 SANs) on 10th May, we got the same error as before; this is what we see in the Akamai control center UI: "2023-05-10 01:11 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for \ ".

Further details from the server logs:

2023-05-10T01:11:54,723 - LeErrorReport(statusCode=403, type=urn:ietf:params:acme:error:caa, detail=Error finalizing order :: Rechecking CAA for "tst.caravanquote.nrma.com.au"

Best Regards!

ShahriarNK · May 11, 2023, 3:42am

Team,

Please note that the SAN addition mentioned above was released yesterday around 9:45AM GMT.

However, today we added another 28 SANs (bringing the total SAN count to 49) and the cert is stuck again. Below is the error we are receiving:
2023-05-11T03:32:27- LeErrorReport(statusCode=403, type=urn:ietf:params:acme:error:caa, detail=Error finalizing order :: Rechecking CAA for "trn.caravanquote.nrma.com.au"

Looks, like whatever error is affecting this is still present.

Also, please note, we have the exactly same issue with cert with CN: sys.carquote.nrma.com.au (19 SANs in the cert.)
The error message is below:
2023-05-11 2023-05-11 03:49 GMT Let’s Encrypt: Error finalizing order :: Rechecking CAA for \

Would really appreciate it if you help release both certs.

Thanks!

PraveenJ · May 11, 2023, 4:28am

Hi @mcpherrinm / @lestaff
Just a follow up on your earlier post , we are still experiencing the same errors as posted by Shahriar , could you please advice .
Thanks in advance .

JamesLE · May 11, 2023, 4:35am

If requests are succeeding with a smaller number of SANs, but you're seeing SERVFAIL errors with more SANs, it could be that Let's Encrypt's validation endpoints are triggering rate limiting or DDoS protection on this domain's authoritative nameservers (Akamai).

I spot-checked a couple of these subdomains and noticed that they are CNAMEs to CNAMEs, so every additional SAN is adding at least nine DNS queries that happen in rapid succession (three, from each of three different vantage points). With 68 SANs, that is 612 total DNS queries for the same zones in under a second. Then there are even more DNS queries to check CAA records further up the tree.

You might need to contact Akamai support and have their DNS team look into whether this will encounter rate limits, which could cause SERVFAILs like these.

ShahriarNK · May 11, 2023, 4:52am

Hi James,

Thanks for your reply.

We have had issues even with just one additional SAN. For e.g., please check the cert with CN: sys.carquote.nrma.com.au which currently is facing the same error.

Also, the current cert request with CN: tst.carquote.nrma.com.au has 28 SANs only.

Lastly, this is an issue with this renewal only. Last renewal 3 months ago didn't have any problems.

Please advise.

Thanks!

JamesLE · May 11, 2023, 4:57am

Please try to get in contact with Akamai's DNS team and see if they can give you some visibility into what's happening on their end during validation. On our side, we're not seeing any new trends of SERVFAILs or other validation failures.

system · June 10, 2023, 4:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Franky · June 15, 2023, 11:46pm

"Let’s Encrypt: Error finalizing order :: Rechecking CAA for \ "

Hi, this topic continues the discussion of closed forum: LE is not issuing cert for unknown reason.

In order to figure out if there is any issue at Akamai DNS server end, our engineering team needs details around which Name server is failing as the query would be ran from LE side and we won't have details if it fails at registerar level. Could you provide dig+trace result or any log from your end on which NS it is failing?

If you can provide the info requested above, could you advise what's the proper communication channel between Akamai and LE to tackle this issue?