In the past I have used letsencrypt successfully from a Raspberry pi. The SD card of the pi has broken and I have since moved some of the applications I want to access securely over to my QNAP NAS.
QNAP have introduced using letsencrypt to add a certificates to the NAS via a GUI. Unfortunately I’m not able to request a certificate for my original domain name. Using another dynamic dns does work, and QNAP support indicates that this is probably due to the domain name already having been registered at Let’s encrypt before.
Can you please tell me if this is the case, and if so, if I can remedy the situation?
It’s my understanding that Let’s Encrypt will not issue if it gets SERVFAIL in response to a CAA query; the DNS server has to return NOERROR or a valid CAA record. Perhaps some of the DNS experts here can provide more detailed (or indeed more accurate) help, but I think this is something you’ll have to take up with your DNS provider.
Hi @jmorahan, I cannot seem to reproduce your result.
Do you still have the same result?
dig thuis.robertsirre.nl caa
with me results in:
; <<>> DiG 9.9.5-9+deb8u13-Raspbian <<>> thuis.robertsirre.nl caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42507
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thuis.robertsirre.nl. IN A
;; ANSWER SECTION:
thuis.robertsirre.nl. 602 IN CNAME atreyu.tplinkdns.com.
atreyu.tplinkdns.com. 602 IN A 95.96.113.25
;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 17 23:01:59 UTC 2017
;; MSG SIZE rcvd: 99
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3616
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;caa. IN A
;; AUTHORITY SECTION:
. 600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017121701 1800 900 604800 86400
;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 17 23:01:59 UTC 2017
;; MSG SIZE rcvd: 107
Which looks like no error, right?
In the mean time I was able to get the certificate once when I rerouted the CNAME to another dynamic DNS, but when I changed it back, the error is back too. (obfuscated by the QNAP gui)
Yes, I still get the same (bad) result. You seem to be using an old version of dig that doesn’t know about CAA records - if you use type257 instead of caa you should see what I’m seeing.
You can also check on https://unboundtest.com/ which checks your DNS using a configuration very similar to what Let’s Encrypt uses. This also gives an error (with more detail, though I’m not sure how to interpret it…)