No --dry-run option possible for CAA

after upgrading to bookworm (certbot 2.7.3) (with set CAA set
CAA 128 issuewild ";accounturi=" certbot DRY-RUN fails whereas a force renew succeeds.

Is that behaviour correct - caused by account not available on stage?

Here is the error:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 537, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 1550, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 131, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 396, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(, self.config.allow_subset_of_names)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/local/lib/python3.11/dist-packages/certbot/_internal/", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed

If intentionally, I would suggest a "more readable" message ....

Let's Encrypt staging uses a different ACME account. You need to add another CAA record allowing your staging account.


how? where to get a stageing account?

certbot show_account --test-cert


Testing the accounturi CAA parameter is unfortunately not possible using the staging environment with the production environment account URI as the value to the accounturi parameter. This because the account URI's are not the same.

Edit: while the sentence directly below is true, read to the bottom of this post too
Unfortunately it's not possible to specify multiple account URIs for the accounturi parameter:

A Property with multiple "accounturi" parameters is unsatisfiable.

(RFC 8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding)

So I don't think there really is a clear solution except to change the CAA RR to the staging account for testing and change it back again to the production account URI for getting an actual certificate.

I'm curious why the RFC denies multiple URIs so explicitely. A comma separated list wouldn't be too much to ask for, right?

Waaaait a minute: it's possible to have multiple CAA RRs present. Looking at the examples in the RFC, you can have multiple different account URIs specified over multiple CAA RRs! :slight_smile:


:slight_smile: thx for your answer


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.