Query timed out looking up CAA for another subdomain

I am using certbot with the Apache module and most hosts work fine, but I am not able to create a certificate for the subdomain dev.free.purnhob.cf.

Certbot fails with Failed authorization procedure. dev.free.purnhob.cf (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for free.purnhob.cf.
The subdomain free.purnhob.cf does not exist, I only configured dev.free.purnhob.cf. Why is certbot looking for free.purnhob.cf?

Hi @erik-f

if a subdomain doesn't have a CAA entry, the next parent domain is checked.

But why doesn't the main domain work? Checking a CAA entry there should never been a timeout, that's fatal.

PS: It's not Certbot (the client you use), it's Letsencrypt that checks the CAA entry.

PPS: Your domain looks like a pishing domain.

Thank you for the quick answer.

But why doesn't the main domain work?

The domain purnhob.cf does work and I can create a certificate for it. Only the subdomain free.purnhob.cf does not exist.

Is this a problem with the DNS provider? We have other domains that work with more subdomain levels (while the next higher level does not exist).

PPS: Your domain looks like a pishing domain.

Well, that is no coincidence. We are working on a service like verylegit.link or shadyurl.com and we want our domains to look as fishy as possible.

I added a DNS record for the subdomain free.purnhob.cf and now generating a certificate for dev.free.purnhob.cf works.
As creating a certificate for another host with multiple levels of subdomains worked (while the higher levels didn't exist), I assume that this is the DNS provider's fault.

I would guess that Let's Encrypt didn't find a CAA record for dev.free, so it looked for free and timed out as this subdomain didn't exist. Now that it exists, it finds no CAA record for free (but doesn't time out), so it checks the main domain and finds a CAA. Do I understand this correctly?

How does this usually work? Does a good DNS provider supply CAA records for subdomains and doesn't rely on Let's Encrypt to work itself up to the main domain?

Yes, that's possible, although the most common case is that a good DNS provider provides a correct DNS protocol error when a CAA record is missing. According to the CAA specs, this counts as no CAA record, which is fine.

I think there's a subtlety here about DNS provider software that doesn't realize it's authoritative for an intermediate level subdomain when there are no records at that level, or something. Perhaps the implementers thought "if there are no records at this level, we never need to return anything in response to queries for them" or something? But as you can see in the documentation above, Let's Encrypt insists on actively getting a reply indicating that the record is nonexistent, which was lacking in this case for some reason.

1 Like

Yes, it's a problem of that provider. If dev.free... exists, but free... not, that's ok / allowed.

But then a NoData answer would be required, not a timeout.

Timeout - Letsencrypt doesn't know, if there is a man in the middle that blocks the CAA answer -> Letsencrypt can't create a certificate.

NoData answer -> ok, no data -> Letsencrypt can create a certificate.

So CAA queries and timeouts are critical.

2 Likes