Attempting to renew cert (whatsmyip.org) from /etc/letsencrypt/renewal/whatsmyip.org.conf produced an unexpected error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "t.whatsmyip.org" and 7 more identifiers failed. Refer to sub-problems for more information. Skipping.
My web server is (include version): Apache 2.4.41
The operating system my web server runs on is (include version): MacOS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.37.1
So as I've been using this service to get SSL certs for many domains for a few years now but as of mid october, this domain has been unable to renew. It's giving me this weird error that I don't understand. I have made no changes to my dns setup or my certbot script setup. I'm not sure why this has stopped renewing, and even more strangely, all my other domains keep renewing without any issue.
Adding a CAA RR for the failing hostnames should work. Or change to a more RFC conforming DNS provider.
Note that for the hostname whatsmyip.org the DNS query on 1.18 doesn't fail, because the SOA RR is send with the NOERROR reply. But for the t subdomain the SOA RR is NOT send, leading to this SERVFAIL.
And in case you hadn't seen it yet, here's the official announcement of what changed:
You may want to mention it in a support ticket to hover.com or the like. They don't need to support CAA records (from reading other threads, it looks like they don't), but they do need to support sending a correct "no record found" response.
So curiously, whatsmyip.org's cert renewed last night. But I just ran the unboundtest and it still "fails" the same way it was before. Which suggests hover.com didn't make any changes. Did LE?
Yeah, they decided to throw caution to the wind and hope that it solved more problems for people than it might cause.
Really as far as I can tell the DNS systems that Unbound 1.18 wouldn't resolve are still "wrong", but it appears that 1.19 is (at least in some cases) allowing them to get away with it still anyway.
Quite alright. All advertising is good advertising
Oh wait on second thought, the "t." subdomain is a new site i'm working on that isn't live yet. A better subdomain to use if by chance anyone reading this needs use my site as an example in the future would be www.whatsmyip.org and/or touch.whatsmyip.org. The new modern mobile site and tablet site are both under construction.
