There do seem to be a couple of real problems in here:
First, a simple one. A subproblem’s type
should not include the urn:ietf:params:acme:error:
prefix twice.
Second, the duplicate sub-problems does seem like a bug. While Let’s Encrypt does look up the CAA records multiple times per authorization (multi-VA, and assuming 8 hours has elapsed since the authz first went into valid
status), it should not produce multiple subproblems.
I have a slight suspicion about the cause. I think that your CSR contains admin.mrhs.hwrsd.org
(or some other identifier) multiple times, and then Let’s Encrypt is failing to do proper checking/filtering of it before using it to recheck CAA records. Would you be able to post the contents of the CSR file?
I managed to reproduce this problem myself locally …
{
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: Rechecking CAA for \"xoo.foo.monkas.xyz\" and 1 more identifiers failed. Refer to sub-problems for more information",
"status": 403,
"subproblems": [
{
"type": "urn:ietf:params:acme:error:urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for xoo.foo.monkas.xyz: CAA record for xoo.foo.monkas.xyz prevents issuance",
"status": 403,
"identifier": {
"type": "dns",
"value": "xoo.foo.monkas.xyz"
}
},
{
"type": "urn:ietf:params:acme:error:urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA for xoo.foo.monkas.xyz: CAA record for xoo.foo.monkas.xyz prevents issuance",
"status": 403,
"identifier": {
"type": "dns",
"value": "xoo.foo.monkas.xyz"
}
}
]
}
By creating a CSR with these SANs and sending it into finalization:
X509v3 Subject Alternative Name:
DNS:foo.monkas.xyz, DNS:foo.monkas.xyz, DNS:xoo.foo.monkas.xyz
@lestaff any confirmation? (I’m wary that this might actually be possible to apply as a CAA re-checking bypass … maybe I should delete and send to security@ …)