I am trying to generate a cert with a headline domain of 2x2devtest45.ilabs.io and a SAN of gslb454647.ilabs.io with a
dns-01 challenge auth.
gslb454647.ilabs.io is a CNAME to gslb454647.gslb.ilabs.io, and gslb.ilabs.io has its own, separate nameservers.
This complicated setup worked in October, but now I’m getting this back-
"detail": "DNS problem: query timed out looking up CAA for gslb454647.ilabs.io",
I can verify that the acme challenge TXT record exists on the ilabs.io nameservers, so I’m concerned that it’s checking the gslb.ilabs.io nameserver instead, but I don’t know. I’m also not totally sure if this should work.
I don’t see any reason why that wouldn’t work in general. Your issue seems to be with the
gslb454647.ilabs.io nameservers aren’t responding to CAA queries. These are mandatory checks now for all public CAs (as of mid-September 2017), so the timeout will block issuance. You may want to check on what’s going on there to start.
gslb.ilabs.io. nameservers aren’t responding to any other types of queries either.
The gslb.ilabs.io nameservers are internal testing things that get turned on and off, I’m trying to clarify that (if?) the whole flow should be independent of them, since gslb454647.ilabs.io lives on the top level.
ilabs.io itself is hosted on Route53, which is supposed to support CAA, and this whole flow works for dozens of other domains in ilabs.io, before and after this particular set of records stopped working. They don’t have SANs that are CNAMEs to subdomains with independent nameservers though.
Let’s Encrypt effectively does
$ dig gslb454647.ilabs.io. caa
$ dig ilabs.io. caa
$ dig io. caa
(The queries are made in parallel, but processed in order.)
The first query needs to succeed, either returning a
CAA record set, an
NXDOMAIN or a
You can’t get a certificate if it results in an error because the nameservers are offline.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.