I am trying to generate a cert with a headline domain of and a SAN of with a dns-01 challenge auth. is a CNAME to, and has its own, separate nameservers.

This complicated setup worked in October, but now I’m getting this back-

  "type": "dns-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: query timed out looking up CAA for",
    "status": 400

I can verify that the acme challenge TXT record exists on the nameservers, so I’m concerned that it’s checking the nameserver instead, but I don’t know. I’m also not totally sure if this should work.

I don’t see any reason why that wouldn’t work in general. Your issue seems to be with the nameservers aren’t responding to CAA queries. These are mandatory checks now for all public CAs (as of mid-September 2017), so the timeout will block issuance. You may want to check on what’s going on there to start.

The nameservers aren’t responding to any other types of queries either.

The nameservers are internal testing things that get turned on and off, I’m trying to clarify that (if?) the whole flow should be independent of them, since lives on the top level. itself is hosted on Route53, which is supposed to support CAA, and this whole flow works for dozens of other domains in, before and after this particular set of records stopped working. They don’t have SANs that are CNAMEs to subdomains with independent nameservers though.

Let’s Encrypt effectively does

$ dig caa
$ dig caa
$ dig io. caa

(The queries are made in parallel, but processed in order.)

The first query needs to succeed, either returning a CAA record set, an NXDOMAIN or a NODATA NOERROR.

You can’t get a certificate if it results in an error because the nameservers are offline.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.