Rechecking caa fails with 99 identical subproblems

There do seem to be a couple of real problems in here:

First, a simple one. A subproblem’s type should not include the urn:ietf:params:acme:error: prefix twice.

Second, the duplicate sub-problems does seem like a bug. While Let’s Encrypt does look up the CAA records multiple times per authorization (multi-VA, and assuming 8 hours has elapsed since the authz first went into valid status), it should not produce multiple subproblems.

I have a slight suspicion about the cause. I think that your CSR contains admin.mrhs.hwrsd.org (or some other identifier) multiple times, and then Let’s Encrypt is failing to do proper checking/filtering of it before using it to recheck CAA records. Would you be able to post the contents of the CSR file?

I managed to reproduce this problem myself locally …

{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: Rechecking CAA for \"xoo.foo.monkas.xyz\" and 1 more identifiers failed. Refer to sub-problems for more information",
  "status": 403,
  "subproblems": [
    {
      "type": "urn:ietf:params:acme:error:urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for xoo.foo.monkas.xyz: CAA record for xoo.foo.monkas.xyz prevents issuance",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "xoo.foo.monkas.xyz"
      }
    },
    {
      "type": "urn:ietf:params:acme:error:urn:ietf:params:acme:error:caa",
      "detail": "Error finalizing order :: While processing CAA for xoo.foo.monkas.xyz: CAA record for xoo.foo.monkas.xyz prevents issuance",
      "status": 403,
      "identifier": {
        "type": "dns",
        "value": "xoo.foo.monkas.xyz"
      }
    }
  ]
}

By creating a CSR with these SANs and sending it into finalization:

X509v3 Subject Alternative Name:
    DNS:foo.monkas.xyz, DNS:foo.monkas.xyz, DNS:xoo.foo.monkas.xyz

@lestaff any confirmation? (I’m wary that this might actually be possible to apply as a CAA re-checking bypass … maybe I should delete and send to security@ …)

5 Likes