Netregistry DNS CAA Problem - Renewal Doesn't Work Swapping to Different Registar Fixed Issue

Also find a comment from @jsha states:

Right now, the staging server has a stricter setting for CAA that rejects SERVFAILs for CAA, which is not yet rolled out in prod. Since --dry-run uses staging, that's why you only get the error there

So tries to run now without the --dry-run, and finally my certs are renewed successfully. :slight_smile:

Summarize my issues:
Wildcard subdomains not working properly, and the staging server didn't accept the missing CAA record.
For the wildcard problem, I can live with it, but when this CAA change getting into prod, I will not able to renew my certs again.

I have three domains on my LE cert, and all of them have wildcard subdomain CNAME records (*.domain.tld IN CNAME domain.tld). All work without an issue.

The issue isn't the lack of a CAA record, it's your DNS host's refusal to respond to the query for a CAA record. A response saying "there's no CAA record" is fine. A response saying "what's a CAA record?", or no response at all, isn't. If your DNS host can't answer those queries at all, it's broken.

I already contacted with my DNS provider about this, as it is clearly not an issue of the LE system.
About the wildcard…yup, it was working fine with the same setup for me too, but it looks like my provider changed something recently that may broke some standards.
As you can see my errors above was in the A record, until I inserted them one by one, without the wildcard.

with wildcard:
DNS problem: SERVFAIL looking up A for phpmyadmin.dmweb.hu
without the wildcard:
DNS problem: SERVFAIL looking up CAA for phpmyadmin.dmweb.hu

Could someone provide me the exact query, that LE needs? So I can test by hand, and give them (the DNS provider) to solve the issue.

Thank you guys for helping me, it’s a great community here :slight_smile:

I think CAA may be a red herring here. I get repeated SERVFAILs for both A and CAA lookups for this domain:

dig A phpmyadmin.dmweb.hu @8.8.8.8
dig CAA phpmyadmin.dmweb.hu @8.8.8.8

To me this looks like timeouts or misconfiguration of the nameservers hosting your site.

I first installed Let’s Encrypt certificates about 75 days ago - had no problem used certbot-auto --apache certonly. Time to renew and am not able to renew due to SERVFAIL timeout looking up A. Installed latest certbot still no luck. To the best of my knowledge (and having checked) there has been no change in the server or the DNS settings. Server is Ubuntu 14.04 with Apache and serving Owncloud.

Any assistance which may solve this problem will be greatly appreciated - only got about 15 days till expiry.

Thanks jsha, I will investigate this dns issue :slight_smile:

@prich, can you post your domain name?

Hi jsha,

It is not literally my domain but the address is public.
owncloud.precisevalue.com.au

Peter

@prich

$ dig +short precisevalue.com.au ns
ns2.partnerconsole.net.
ns3.partnerconsole.net.
ns1.partnerconsole.net.
$ dig +short partnerconsole.net ns
ns2.netregistry.net.
ns1.netregistry.net.
ns3.netregistry.net.

Another Netregistry DNS issue?

Hi, Thanks for the help so far. It happens that when I was trying earlier there was a problem with Netregistry DNS (under DDOS attack). They say the system is now back up. AND the problem has changed certbot-auto now reports a timeout with the CAA (no longer the A). Additionally it would appear that Netregistry do not support CAA. Where do I go from here?

Let’s Encrypt is committed to checking CAA for every certificate issuance in order to provide a way for people to indicate whether they do not want Let’s Encrypt to issue certificates for their domains.

If your DNS provider doesn’t support CAA records, you need to switch to another DNS provider or get them to fix it. This is built into the Let’s Encrypt CA and there is no way to turn off the checking (and eventually, other CAs are going to start requiring it too!).

To be explicit, you’re not required to have CAA records. It’s totally fine if your DNS servers say “nope, i don’t have any of those”. It becomes a problem when they return an error, or fail to respond at all.

While it’s not yet common for DNS providers to support CAA records, the underlying DNS server software they use has generally supported CAA for a couple years. Moreover, even older software will usually give a valid response to queries for unrecognized types.

It’s relatively rare for them to fail in a way that interferes with Let’s Encrypt validation.

This might be related to Netregistry’s ongoing issues, but they seem to fall into the “don’t respond at all” camp:

$ digr owncloud.precisevalue.com.au @ns1.partnerconsole.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse owncloud.precisevalue.com.au @ns1.partnerconsole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63485
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;owncloud.precisevalue.com.au.  IN      A

;; ANSWER SECTION:
owncloud.precisevalue.com.au. 3600 IN   CNAME   wilkin.precisevalue.com.au.
wilkin.precisevalue.com.au. 3600 IN     A       203.153.251.216

;; Query time: 187 msec
;; SERVER: 203.55.143.4#53(203.55.143.4)
;; WHEN: Tue Apr 18 06:33:28 UTC 2017
;; MSG SIZE  rcvd: 83

$ digr owncloud.precisevalue.com.au caa @ns1.partnerconsole.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse owncloud.precisevalue.com.au caa @ns1.partnerconsole.net
;; global options: +cmd
;; connection timed out; no servers could be reached

[Last i heard, Let’s Encrypt production was less strict and more forgiving about CAA failures than staging, but that might have been tightened up.]

2 Likes

quick question from the sideline: what is digr? An alias for dig +norecursive?

It's just a shell alias i have for dig +norecurse.

alias digr="dig +norecurse"

(You don't actually need to use +norecurse, but i like to.)

1 Like

Hi mnordhoff,

Thanks for all your help. I have resolved the problem.

After days of fruitless discussions with Netregistry support - they didn’t understand the problem at all. They have sent me an email asking what I thought of their support - I haven’t yet calmed down enough to contemplate a reply.

I did some searching and finally got some sensible answers and great help from iiNet hosting. Initially they even gave me the names of DNS hosting software which did support CAA to help in my search. They also did some tests on their system and found that it did respond to CAA checks even though it did not provide a positive response. On that basis I have changed to iiNet DNS Hosting AND have successfully renewed the certificate. On this basis I cannot recommend iiNet highly enough.

Thanks again to all who have helped with this problem.

Peter

2 Likes

Hi Peter,
I may be going down the same path as you with switching from NetRegistry to iinet for DNS hosting to resolve this CAA issue. My SSL certificates expire in 9 days. Do you mind my asking how long the transfer took and whether there was any downtime for your website? Was it a painful process getting all the DNS records exactly right or did iinet handle it?

I’ve had quite a few stressful support issues with NR over the years incidentally. I thought I’d escaped them quite a while back but then the took over Planet Domain and I inadvertantly ended up back with them!

1 Like

I have DNS slaves that don't understand CAA yet because of a too old BIND version and even they can respond after receiving the zone from a more recent BIND. The corresponding dig command doesn't understand CAA either on those servers but can be made to query with

dig $domain type257

So whatever Netregistry is doing, it shouldn't be a problem of their server software. Either their software is really dumb or - more likely - they employ some paranoid "security" appliance that sucks in other ways.

Hi Jojo,

We already had email hosting at iiNet so we already had a partial DNS
system there. After making the entries in the DNS system and committing
them, followed by resetting the name servers on Netregistry I waited about
an hour and all went thru without a problem. I guess from your point of
view you would need to open a DNS hosting account and I cannot tell you how
long that might take but would assume very little time at all.

This whole process took a while complicated by time differences they are in
Perth I’m in Sydney and our server is in Adelaide.

Peter

1 Like

Hi Peter
Thanks for the reply. Thankfully NetRegistry SEEM to have got their act together overnight as I was able to renew the certificates this morning. Some other people in another thread have also found it starting to work again, albeit erractically, and not everyone is convinced the solution will ‘stick’. In the future I think I’ll renew my certificates a few weeks before they expire so it won’t be so urgent to sort it out if I have problems. I will keep the iinet option up my sleeve.
Cheers
Jo

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.