Problem at renewing a certificate (CAA)

Hi, i have a problem with a certificate to renew which was renews many times before. First of all i was just running into a timeout - then i changed the mtu of my eth0 and now i got specific errormsg.

https://crt.sh/?q=www.podor.ch

My domain is: www.podor.ch

I Use the actual docker-certbot container to run it and i have no problems with other domains.

It produced this output:

` 2020-06-15 13:23:00,766:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-06-15 13:23:00,767:DEBUG:certbot._internal.main:Arguments: [’–non-interactive’, ‘–email’, ‘domains@loremipsum.at’, ‘–agree-tos’, ‘–force-renewal’, ‘–authenticator’, ‘webroot’, ‘–webroot-path’, ‘/var/certbot-acme-challenge/’, ‘–cert-name’, ‘podoroils.com’, ‘–domain’, ‘podoroils.com’, ‘–domain’, ‘www.podoroils.com’, ‘–domain’, ‘shop.podoroils.com’, ‘–domain’, ‘podorhuile.fr’, ‘–domain’, ‘www.podorhuile.fr’, ‘–domain’, ‘podor.co.uk’, ‘–domain’, ‘www.podor.co.uk’, ‘–domain’, ‘shop.podor.co.uk’, ‘–domain’, ‘podor.com.au’, ‘–domain’, ‘www.podor.com.au’, ‘–domain’, ‘podor.de’, ‘–domain’, ‘www.podor.de’, ‘–domain’, ‘shop.podoroele.de’, ‘–domain’, ‘shop.podor.at’, ‘–domain’, ‘shop.podor.hu’, ‘–domain’, ‘podor.ch’, ‘–domain’, ‘www.podor.ch’, ‘–domain’, ‘shop.podor.ch’, ‘–domain’, ‘podor.ru’, ‘–domain’, ‘www.podor.ru’, ‘–domain’, ‘podor.lu’, ‘–domain’, ‘www.podor.lu’, ‘–domain’, ‘podor.se’, ‘–domain’, ‘www.podor.se’, ‘–domain’, ‘podor.jp’, ‘–domain’, ‘www.podor.jp’, ‘–domain’, ‘podor.es’, ‘–domain’, ‘www.podor.es’, ‘–domain’, ‘podor.pl’, ‘–domain’, ‘www.podor.pl’, ‘–domain’, ‘podor.nl’, ‘–domain’, ‘www.podor.nl’, ‘–domain’, ‘podor.sk’, ‘–domain’, ‘www.podor.sk’, ‘–domain’, ‘podor.dk’, ‘–domain’, ‘www.podor.dk’, ‘–domain’, ‘podor.tw’, ‘–domain’, ‘www.podor.tw’, ‘–domain’, ‘podoroele.de’, ‘–domain’, ‘www.podoroele.de’, ‘–domain’, ‘podor.at’, ‘–domain’, ‘www.podor.at’, ‘–domain’, ‘podor.hu’, ‘–domain’, ‘www.podor.hu’, ‘–domain’, ‘de.podor.ch’, ‘–domain’, ‘dev.podor.hu’, ‘–domain’, ‘dev.podor.ch’, ‘–domain’, ‘dev.podor.co.uk’, ‘–domain’, ‘dev.podoroils.com’, ‘–domain’, ‘de.shop.podor.ch’, ‘–domain’, ‘shop.podor.com.au’, ‘–domain’, ‘dev.podor.com.au’, ‘–domain’, ‘podorhuile.fr’, ‘–domain’, ‘www.podorhuile.fr’, ‘–domain’, ‘shop.podorhuile.fr’, ‘–domain’, ‘podorhuile.be’, ‘–domain’, ‘www.podorhuile.be’, ‘–domain’, ‘shop.podorhuile.be’, ‘–domain’, ‘www.de.podor.ch’, ‘–domain’, ‘shop.podor.pl’, ‘–domain’, ‘shop.podor.nl’, ‘–domain’, ‘shop.podor.tw’, ‘–domain’, ‘podor-oil.com’, ‘–domain’, ‘www.podor-oil.com’, ‘–domain’, ‘shop.podor-oil.com’, ‘–domain’, ‘podorme.com’, ‘–domain’, ‘www.podorme.com’, ‘–domain’, ‘shop.podorme.com’, ‘–domain’, ‘ar.podorme.com’, ‘–domain’, ‘ar.shop.podorme.com’, ‘–domain’, ‘store.podor.hu’, ‘–domain’, ‘localonlinepartner.at’, ‘–domain’, ‘www.localonlinepartner.at’, ‘–domain’, ‘localonlinepartner.de’, ‘–domain’, ‘www.localonlinepartner.de’, ‘–domain’, ‘localonlinepartner.ch’, ‘–domain’, ‘www.localonlinepartner.ch’, ‘–domain’, ‘localonlinepartner.com’, ‘–domain’, ‘www.localonlinepartner.com’, ‘–domain’, ‘new.podor.sk’, ‘–domain’, ‘new.podor.jp’]
2020-06-15 13:23:00,767:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-15 13:23:00,925:DEBUG:certbot._internal.log:Root logging level set at 20
2020-06-15 13:23:00,926:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-15 13:23:00,928:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2020-06-15 13:23:00,941:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
.
.
.
2020-06-15 13:23:31,146:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/finalize/478444/3778870753 HTTP/1.1” 403 None
2020-06-15 13:23:31,148:DEBUG:acme.client:Received response:
HTTP 403
Server: nginx
Date: Mon, 15 Jun 2020 13:23:31 GMT
Content-Type: application/problem+json
Transfer-Encoding: chunked
Connection: keep-alive
Boulder-Requester: 478444
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101cWMUnuN5U4wbRcpSbnlPHsC_gk-IZVgdmVImzOwqaHU

{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: Rechecking CAA for \"dev.podor.ch\" and 7 more identifiers failed. Refer to sub-problems for more information",
  "status": 403,
  "subproblems": [
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for dev.podor.ch: DNS problem: SERVFAIL looking up CAA for dev.podor.ch - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "dev.podor.ch"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for shop.podor.ch: DNS problem: SERVFAIL looking up CAA for shop.podor.ch - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "shop.podor.ch"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for podoroele.de: DNS problem: SERVFAIL looking up CAA for podoroele.de - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "podoroele.de"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for new.podor.jp: DNS problem: SERVFAIL looking up CAA for podor.jp - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "new.podor.jp"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for shop.podor.pl: DNS problem: SERVFAIL looking up CAA for podor.pl - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "shop.podor.pl"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for shop.podoroele.de: DNS problem: SERVFAIL looking up CAA for podoroele.de - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "shop.podoroele.de"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for www.podor.se: DNS problem: SERVFAIL looking up CAA for podor.se - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "www.podor.se"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for www.podor.nl: DNS problem: SERVFAIL looking up CAA for podor.nl - the domain's nameservers may be malfunctioning",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "www.podor.nl"
      }
    }
  ]
}
2020-06-15 13:23:31,149:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 306, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 359, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 291, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline)
  File "/opt/certbot/src/acme/acme/client.py", line 901, in finalize_order
    return self.client.finalize_order(orderr, deadline)
  File "/opt/certbot/src/acme/acme/client.py", line 749, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/opt/certbot/src/acme/acme/client.py", line 96, in _post
    return self.net.post(*args, **kwargs)
  File "/opt/certbot/src/acme/acme/client.py", line 1177, in post
    return self._post_once(*args, **kwargs)
  File "/opt/certbot/src/acme/acme/client.py", line 1190, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/certbot/src/acme/acme/client.py", line 1048, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "dev.podor.ch" and 7 more identifiers failed. Refer to sub-problems for more information
2020-06-15 13:23:31,157:ERROR:certbot._internal.log:An unexpected error occurred:
2020-06-15 13:23:31,157:ERROR:certbot._internal.log:Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "dev.podor.ch" and 7 more identifiers failed. Refer to sub-problems for more information`

It says the CAA check failed because of wrong response - but my provider told me that there is no wrong anwser on their side.
Does anyone know what i can do now, cause it worked already for many times and since this renew period it is failing :frowning:

@edit:
just tested the feedback from letsdebug.net - it always tells me that there is no error…

1 Like

Hi @karlkowald

checked one domain via https://check-your-website.server-daten.de/?q=podor.ch - no real problem visible.

Checked other via Unboundtest - https://unboundtest.com/m/CAA/podor.se/KLQVVP72 had a Servfail.

Summary

Query results for CAA podor.se

Response:
;; opcode: QUERY, status: SERVFAIL, id: 52722
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;podor.se. IN CAA

----- Unbound logs -----
Jun 15 14:12:43 unbound[26236:0] notice: init module 0: validator
Jun 15 14:12:43 unbound[26236:0] notice: init module 1: iterator
Jun 15 14:12:44 unbound[26236:0] info: start of service (unbound 1.10.1).
Jun 15 14:12:44 unbound[26236:0] info: 127.0.0.1 podor.se. CAA IN
Jun 15 14:12:44 unbound[26236:0] info: resolving podor.se. CAA IN
Jun 15 14:12:44 unbound[26236:0] info: priming . IN NS
Jun 15 14:12:44 unbound[26236:0] info: response for . NS IN
Jun 15 14:12:44 unbound[26236:0] info: reply from <.> 2001:500:2f::f#53
Jun 15 14:12:44 unbound[26236:0] info: query response was ANSWER
Jun 15 14:12:44 unbound[26236:0] info: priming successful for . NS IN
Jun 15 14:12:45 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:45 unbound[26236:0] info: reply from <.> 2001:500:200::b#53
Jun 15 14:12:45 unbound[26236:0] info: query response was REFERRAL
Jun 15 14:12:48 unbound[26236:0] info: Capsforid: timeouts, starting fallback
Jun 15 14:12:48 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:48 unbound[26236:0] info: reply from <se.> 2001:678:e:112::53#53
Jun 15 14:12:48 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 2001:67c:254c:301::53#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: starting fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 192.36.144.107#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 2001:67c:254c:301::53#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 2001:678:e:112::53#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 185.159.198.150#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 192.36.135.107#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 2001:6b0:e:3::1#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 185.159.197.150#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:49 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:49 unbound[26236:0] info: reply from <se.> 2001:678:e:112::53#53
Jun 15 14:12:49 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:50 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:50 unbound[26236:0] info: reply from <se.> 2001:67c:124c:e000::4#53
Jun 15 14:12:50 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:50 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:50 unbound[26236:0] info: reply from <se.> 2001:678:e:112::53#53
Jun 15 14:12:50 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback
Jun 15 14:12:50 unbound[26236:0] info: response for podor.se. CAA IN
Jun 15 14:12:50 unbound[26236:0] info: reply from <se.> 2620:10a:80aa::150#53
Jun 15 14:12:50 unbound[26236:0] info: Capsforid: reply is equal. go to next fallback

But some minutes later - https://unboundtest.com/m/CAA/podor.se/OLA7665K - no problem.

2 Likes

Thanks @JuergenAuer, so the only thing i can do is to talk to dns-provider to investigate again or change the dns/domain provider… :frowning:

1 Like

I don’t know if that solves the problem.

See the Servfail: Very early, looks, like one of the se - nameservers is buggy.

The catcher-in-the-rye.nic.se has a red underline - https://check-your-website.server-daten.de/?q=podor.se

Nameserver doesn’t pass all EDNS-Checks: catcher-in-the-rye.nic.se: OP100: no result. FLAGS: no result. V1: no result. V1OP100: no result. V1FLAGS: no result. DNSSEC: no result. V1DNSSEC: no result. NSID: no result. COOKIE: no result. CLIENTSUBNET: no result.

so it’s not one of your name servers.

Checked some minutes later - https://unboundtest.com/m/CAA/podor.se/FXR2WFR5 - now some biz servers have a lot of

query response was DNSSEC LAME

Not critical, but not good.

Is it possible to split the certificate so you have certificates with a smaller number of domain names?

2 Likes

well, splitting up is not that easy, would need many duplicate configuration at the webserver…

but isnt it somehow strange, that the certificate isnt created because of problems with the root-dns Server of the TLD-Servers??
i mean:
https://check-your-website.server-daten.de/?q=podor.ch (red underlined of g.nic.ch )
https://check-your-website.server-daten.de/?q=podor.jp (red underlined of z.dns.jp )

is the problem that there are too many checks needed for the certificate at once? and if - why it worked over 2 years and makes troubles since now?

1 Like

I don’t think these single checks are really relevant.

The additional ENDS-checks are not critical creating Letsencrypt certificates, these are the red lines.

But if you have so much domain names, there are a lot of dns queries to your set of name servers.

That may be critical.

1 Like

PS: But may be your NS configuration is really the problem.

Checked https://unboundtest.com/m/CAA/podor.jp/OCKGMOGS - again

query response was DNSSEC LAME

a lot of LAME answers.

You have four name servers. But resolving the name server ip addresses (see https://check-your-website.server-daten.de/?q=podor.jp#nameserver-ipaddresses ) a lot of dns queries are required, 19 queries.

May be these are done again and again, so there are timeouts.

One thing you can do: Create CAA entries with your main domains (podor.jp etc.), then jp + CAA isn’t checked.

1 Like

Meanwhile i tried to create a CAA entry for each TLD, but it too tells me that it has errors returend…

2020-06-15 20:41:19,236:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/finalize/478444/3782999146 HTTP/1.1” 403 None
2020-06-15 20:41:19,238:DEBUG:acme.client:Received response:
HTTP 403
Server: nginx
Date: Mon, 15 Jun 2020 20:41:19 GMT
Content-Type: application/problem+json
Transfer-Encoding: chunked
Connection: keep-alive
Boulder-Requester: 478444
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0101JJDCVSvcQxS5Ob2j8JnFzkPXtiEEcGWqIOEzmL19TYI

{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: Rechecking CAA for “new.podor.sk” and 5 more identifiers failed. Refer to sub-problems for more information”,
“status”: 403,
“subproblems”: [
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for new.podor.sk: DNS problem: SERVFAIL looking up CAA for new.podor.sk - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “new.podor.sk”
}
},
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for www.podor.ch: DNS problem: SERVFAIL looking up CAA for podor.ch - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “www.podor.ch”
}
},
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for dev.podor.ch: DNS problem: SERVFAIL looking up CAA for podor.ch - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “dev.podor.ch”
}
},
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for podor.sk: DNS problem: SERVFAIL looking up CAA for podor.sk - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “podor.sk”
}
},
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for podor.se: DNS problem: SERVFAIL looking up CAA for podor.se - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “podor.se”
}
},
{
“type”: “urn:ietf:params:acme:error:caa”,
“detail”: “Error finalizing order :: While processing CAA for podor.tw: DNS problem: SERVFAIL looking up CAA for podor.tw - the domain’s nameservers may be malfunctioning”,
“status”: 403,
“identifier”: {
“type”: “dns”,
“value”: “podor.tw”
}
}
]
}

@karlkowald we are having the same issue, I checked and notice you also have EuroDNS as your DNS provider.

I already have a support case open with them, and made them aware of this topic.

I am not saying 2 cases are definite proof but I am leaning towards an issue at EuroDNS.

EuroDNS has implemented a fix, for us this worked.

1 Like

yeah, worked for me too. looks like your supportcase helped much, my supportcase told me just that they have no problem, all is fine :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.