MailInABox certificate issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gideon-it.co.uk

I ran this command: MailInABox runs the command - so I've no idea!

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for gideon-it.co.uk and 4 more domains An unexpected error occurred: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "mta-sts.gideon-it.co.uk" and 3 more identifiers failed. Refer to sub-problems for more information Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):nginx

The operating system my web server runs on is (include version):Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is: self-hosted on a VM

I can login to a root shell on my machine (yes or no, or I don't know): Yes (I think)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):MailInABox

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

EDIT

Just tried again and got the following...
Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for gideon-it.co.uk and 4 more domains An unexpected error occurred: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: While processing CAA for www.gideon-it.co.uk: DNS problem: server failure at resolver looking up CAA for gideon-it.co.uk Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

As far as I can tell the DNS is all OK. But as we know "It's always DNS"!!!

neither unboundtest or letsdebug saw that CAA error: hmm

3 Likes

Retrying the certificate provisioning I now get a different error…

Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for gideon-it.co.uk and 4 more domains An unexpected error occurred: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "gideon-it.co.uk" and 4 more identifiers failed. Refer to sub-problems for more information Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Any ideas what the problem could be?

Likely something in your DNS zone.
Please show the zone file [omitting any secret stuff (if any)].

gideon-it.co.uk nameserver = ns1.box.gideon-it.com
gideon-it.co.uk nameserver = ns2.box.gideon-it.com

ns1.box.gideon-it.com   internet address = 81.174.152.174
ns2.box.gideon-it.com   internet address = 81.174.152.174
2 Likes
$ORIGIN gideon-it.co.uk.
$TTL 86400          ; default time to live

@ IN SOA ns1.box.gideon-it.com. hostmaster.box.gideon-it.com. (
           2024030100     ; serial number
           7200     ; Refresh (secondary nameserver update interval)
           3600     ; Retry (when refresh fails, how often to try again, should be lower than the refresh)
           1209600  ; Expire (when refresh fails, how long secondary nameserver will keep records around anyway)
           86400    ; Negative TTL (how long negative responses are cached)
           )
	IN	NS	ns1.box.gideon-it.com.
	IN	NS	ns2.box.gideon-it.com.
	IN	A	81.174.152.174
	IN	MX	10 box.gideon-it.com.
	IN	TXT	"v=spf1 mx -all" 
_dmarc	IN	TXT	"v=DMARC1; p=quarantine;" 
_caldavs._tcp	IN	SRV	0 0 443 box.gideon-it.com.
_carddavs._tcp	IN	SRV	0 0 443 box.gideon-it.com.
autoconfig	IN	A	81.174.152.174
autoconfig	IN	TXT	"v=spf1 -all" 
autoconfig	IN	MX	0 .
_dmarc.autoconfig	IN	TXT	"v=DMARC1; p=reject;" 
autodiscover	IN	A	81.174.152.174
autodiscover	IN	TXT	"v=spf1 -all" 
autodiscover	IN	MX	0 .
_dmarc.autodiscover	IN	TXT	"v=DMARC1; p=reject;" 
mta-sts	IN	A	81.174.152.174
mta-sts	IN	TXT	"v=spf1 -all" 
mta-sts	IN	MX	0 .
_dmarc.mta-sts	IN	TXT	"v=DMARC1; p=reject;" 
www	IN	A	81.174.152.174
www	IN	TXT	"v=spf1 -all" 
www	IN	MX	0 .
_dmarc.www	IN	TXT	"v=DMARC1; p=reject;"

Tests of a single CAA query work fine from various tools (unboundtest, dnsviz, ...). And, those show you don't have a CAA record which is fine.

The Let's Encrypt server will make many queries from various world-wide server farms. Do you have some sort of DDoS protection that might block a burst of queries like that?

Are you able to view your DNS server logs for any clues?

2 Likes

No idea how to look at DNS logs. Rather new to MailInABox and to Linux without a GUI. Spent a lifetime supporting Windows I'm afraid!

Unbelievably it's just worked!

It must have been a DNS propogation issue.

Let's Encrypt queries the authoritive DNS servers directly. It is not affected by TTL propogation.

3 Likes

Oh. Well that really is a mystery then!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.