Question about Weird behavior for CAA Record

Hi Team,

Good day,

There is a website that is served through Akamai and when the Certificate was getting renewed, there was one domain in a SAN which showed as Validation pending in Akamai Certificate Portal.

We took the DNS token in the portal and updated it on the DNS server. And when we checked the Akamai portal again the token changed. We went ahead and updated the DNS TXT record and the same problem repeated. This happened like 4 times in very short duration.

On gettting on a call with the Akamai Support, the issue was identified as CAA record incorrectly updated, no LetsEncrypt mentioned there, there was another CA’s name. We changed and the issue got resolved.

The question here is normally if such scenario occurs I think i remember there will be a error saying " CAA record for example.com prevents issuance" something like that. But not sure if the process changed on your end.

Just want to clarify if CAA record can cause this kind of issue where a new token is generated always if the CAA validation failed or if there is any other reason for this weird behavior.

As Certificate issues can cause DoS situation, would really appreciate if we can get response a little sooner.

Thanks
Raja

1 Like

The challenge token would change any time the Akamai ACME client recreated the order.

It does not change in the lifetime of a single ACME order.

So hypothetically, if the Akamai client was recreating the order every time it was hitting the CAA error (during the challenge response or finalization/CSR submission phases), this would also cause the authorization to be recreated, along with the associated challenge tokens.

2 Likes

hi thank you for the prompt response. Really appreciated.We are the intermediary here, I am not website owner exactly so don’t want to share specific information in a public form. However I can share the hostname/domain in a unicast one-to-one email, Just want to know if it possible to find out what caused regeneration of DNS tokens as soon as the previous token was updated in the DNS zone file. To clarify or confirm the theory of ACME client creating new order when there was a CAA failure.

Just want to know the cause of it from technical side to be better aware and cautious in future. ( because there was a DoS situation for a short duration due to lack of certificate)

Please let me know if one-to-one communication is possible from LetsEncrypt for this specific situation. my email: r*********@gmail.com (OR If I can lock this question/thread from public view)

Thanks again

Hi @Raja_19

that’s a question of that client. The protocol of that client should have all informations.

A wrong CAA doesn’t initiate creating a new order.

But a client may have such a “not so good behaviour”. So the client tries it again and again -> that client is buggy.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.