Renew cert error (ietf:params:acme:error:caa)

suthagar · March 18, 2019, 12:39pm

certbot renew --dry-run

Attempting to renew cert (equinoxi.com) from /etc/letsencrypt/renewal/equinoxi.com.conf produced an unexpected error: Failed authorization procedure. equinoxi.com (http-01): urn:ietf:params:acme:error:caa :: CAA record for equinoxi.com prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/equinoxi.com/fullchain.pem (failure)

While cert renew i am seeing the above error… somebody help me in cert renewal… thks…

cpu · March 18, 2019, 1:14pm

Hi @suthagar,

It looks like your domain has CAA records that are slightly incorrect and it’s blocking issuance:

$ dig +short -tCAA equinoxi.com
0 issuewild "https://letsencrypt.org"
0 issue "https://letsencrypt.org"

Those two values should be letsencrypt.org without the https://.

If you remove the https:// prefix in your DNS you shouldn’t see this CAA error anymore.

Hope that helps!

suthagar · March 18, 2019, 1:18pm

@cpu

Thank you for the reply.

I changed this now. But still see the same error while renew

Attempting to renew cert (equinoxi.com) from /etc/letsencrypt/renewal/equinoxi.com.conf produced an unexpected error: Failed authorization procedure. equinoxi.com (http-01): urn:ietf:params:acme:error:caa :: CAA record for equinoxi.com prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/equinoxi.com/fullchain.pem (failure)

cpu · March 18, 2019, 1:22pm

Hmmm, curious. The new CAA values look OK to me. Is it possible you retried before the authoritative nameservers had updated?

Could you try one more time?

suthagar · March 18, 2019, 1:24pm

@cpu

Hurray… It worked… Thanks a lot for your help.

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/equinoxi.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

cpu · March 18, 2019, 1:24pm

Woohoo

Glad to hear it. Have a great day,

JuergenAuer · March 18, 2019, 1:55pm

Hi @suthagar

but it's not really complete.

You have a www- and a non-www dns entry.

But your certificate

CN=equinoxi.com
	18.03.2019
	16.06.2019
expires in 90 days	equinoxi.com - 1 entry

has only one domain name.

So your www version isn't secure.

Create one certificate with both domain names. Add something like

-d equinoxi.com -d www.equinoxi.com

to create such a certificate.

system · April 17, 2019, 2:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.