I'm getting wrapped around the axle trying to renew a certificate with (newly) DNSEC enabled.
I have a host "sol" inside my domain "prograde.net" and used -d prograde.net,sol.prograde.net to get the host name into the SAN list. But certbot seems to be trying to fetch a CAA record for "sol.prograde.net" which is a hostname. When a CAA fetch fails isn't it suppose to look to the containing domain? That doesn't seem to happen.
My domain is: prograde.net
I ran this command: certbot certonly --agree-tos -m 'mcashwell@icloud.com' --manual --config-dir=. --work-dir=. --logs-dir=. --preferred-challenges=dns --cert-name prograde.net -d prograde.net,sol.prograde.net
It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: sol.prograde.net
Type: dns
Detail: DNS problem: looking up CAA for sol.prograde.net: DNSSEC: Bogus: validation failure <sol.prograde.net. CAA IN>: nodata proof failed from 172.64.52.250
My web server is (include version): N/A (no web server. cert is for email over TLS)
The operating system my web server runs on is (include version): macOS 15.2
My hosting provider, if applicable, is: web.com (for DNS only)
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is: certbot 3.0.1
After the CAA error "dig @172.64.53.155 prograde.net. CAA" produced:
;; ANSWER SECTION:
prograde.net. 3600 IN CAA 0 issue "letsencrypt.org"
So the parent domain has a Let's Encrypt CAA record. Why isn't certbot using that?
Is there some way to get a hostname into the SAN without certbot thinking that hostname is a domain that must have its own CAA record?
I'm so confused. I suppose I can just disable DNSSEC which I think triggered all this.