Problem: How to setup DNS CAA

Hi,

My records is:

my-domain.com.br. 0 issue ;
my-domain.com.br. 0 issuewild letsencrypt.org
my-domain.com.br. 0 iodef mailto:my-email@my-domain.com.br

But always return the error:

acme: error: 403 :: urn: ietf: params: acme: error: caa :: CAA record for teste.winserver2019.my-domain.com.br prevents issuance

I checked in https://dnsspy.io/labs/caa-validator and there it shows ok: https://i.imgur.com/bZbN8oJ.png

Can someone help me?
Thank You.

Hi @douglasoliveiraadv, welcome to the community forum :wave:

What ACME client are you using? Can you share the command/configuration?

(As a note: it would be easier to debug this if you shared your real domain name)

One thing I notice about this policy is that it would forbid issuance for the base domain. It’s typical when requesting a wildcard certificate to request both *.example.com and example.com since the former won’t cover the later. If you are doing that with this CAA policy the validation for example.com will fail because there is no issue allowing Let’s Encrypt, just an issuewild which is not considered for this case because RFC 6844 says:

issuewild properties MUST be ignored when processing a request for a domain that is not a wildcard domain.

Hello! Many thanks for the quick reply!

I’m using traefik (docker).

My domain is mvarandas.com.br.

I need https at *.winserver2019.mvarandas.com.br

Thank you again!

teste.winserver2019.my-domain.com.br isn’t a wildcard hostname. Therefore, without an issue tag for letsencrypt.org, your CAA record will refuse certificates with this hostname, as @cpu already explained.

1 Like

Can you update your DNS zone so that instead of:

my-domain.com.br. 0 issue “;”

It has:

my-domain.com.br. 0 issue “letsencrypt.org

and then see if you still get a CAA policy error when using Traefik to issue certificates for the domain.

Hi @douglasoliveiraadv

now your CAA entries are ok:

8. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
www.winserver2019.mvarandas.com.br 0 no CAA entry found 1 0
winserver2019.mvarandas.com.br 0 no CAA entry found 1 0
mvarandas.com.br 5 issue comodoca.com 1 0
5 iodef douglas@mvarandas.com.br 1 0
5 issue letsencrypt.org 1 0
9 issuewild letsencrypt.org 1 0
com.br 0 no CAA entry found 1 0

Supports traefik a manual option? There are no TXT entries visible.

You should create one certificate with *.winserver2019.mvarandas.com.br winserver2019.mvarandas.com.br, so you need two entries with

_acme-challenge.winserver2019.mvarandas.com.br

as domain name and different values.

1 Like

Thank you all for your help.
You guys are very fast!

@JuergenAuer But I did not quite understand your instructions.

Do I need one or two more records?

Should I generate the certificate manually?
How should these records be?

From what I saw of traefik, he himself generates the necessary certificate. I got error in the traefik log file

Thank you!

Now everything is ok. Thank you!

2 Likes

Glad to hear it! Thanks for reporting back :slight_smile:

The typical wildcard certificate has *.example.com and example.com as domain names and uses dns-01 validation with both domain names. So you have to create two txt entries.

I don’t know the options of traefik. And an automatic script requires that you manage your own dns server or your dns provider supports an API you can use.

But happy to read that it had worked :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.