LE is complaining that CAA prevents issuance during renewal. CAA has not changed last renewal, nor has certbot, its configuration., or the DNS records for the certificate.
Verified visible from multiple external systems. Verified OK with dnsviz.net (for DNSSEC).
The last successful renewal was 26-Mar-2023.
Has Boulder changed its CNAME processing, e.g. reduced tree climbing? If so, what are the minimal zones that need CAA records to make Boulder happy?
What's particularly odd is that NONE of the 6 domains requested in the certificate are accepted. So if is a tree-climbing issue, I would expect the non-CNAME domains too be happy...
My domain is: litts.net
The requested certificate:
Subject: CN = wikiworld.litts.net
Subject Alternative Name:
I ran this command:
certbot -n renew
It produced this output:
Renewing an existing certificate for wikiworld.litts.net and 5 more domains
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Detail: CAA record for litts.net prevents issuance
The logfile doesn't reveal anything else of obvious interest.
My web server is (include version):
The operating system my web server runs on is (include version):
I can login to a root shell on my machine (yes or no, or I don't know):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 1.32.0