SSL Issuance Error

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: win02.247workinghosting.com

I ran this command: Issuance for SSL Renewal

It produced this output: https://acme-v01.api.letsencrypt.org/acme/authz/TYlX5acPlW_ALdYh2FvkYuwSbk6MHgQy-aSKTKR5f8Q

My web server is (include version): Plesk

The operating system my web server runs on is (include version): Windows Server

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Onyx

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/MqQ9-ElqKXh7S6R3SaXQzEE4q2vWSJgjMPEq2Y9bbME.
Details:
Type: urn:acme:error:caa
Status: 403
Detail: CAA record for win02.247workinghost.com prevents issuance

#2

Hi @umerkhokhar,

It looks to me like you’re a customer of the hosting provider 247workinghost, and they don’t want you to get certificates for subdomains of their domain. If so, that’s their choice.

Do you have your own domain name that you’ve registered for yourself? If not, and if you don’t intend to do this for some reason, you’ll need to ask 247workinghost whether it’s OK with them for you to get a certificate for this subdomain, and, if so, whether they can help you do so. It’s very unlikely that we can help you to do this without their cooperation!

#3

I am from 247workinghost.com and i want this certificate for my hostname, which is mentioned above as sub domain name. I want to renew it for myself and i have main administrative access to the server. Waiting for your help to re-generate it.

#4

The domain’s CAA records specifically do not allow Let’s Encrypt to issue certificates.

247workinghost.com.  2877  CAA  0 issue "comodoca.com"

To use Let’s Encrypt, you have to add a CAA record for 0 issue "letsencrypt.org" to 247workinghost.com or win02.247workinghost.com or remove the existing CAA record.

Do you have administrative access to the domain’s DNS?

#5

Yes i have access, do i have to delete the entry of old/existing certificate from the DNS records and need to re-issue ? Is it right or what to do, please mention step by step guide.

Thanks!

#6

You don’t have to do anything to your existing certificates.

You just have to add or remove one DNS record.

1 Like
#7

After deleting the record from DNS, i will try now with the re-issuance and update you soon.

#8

There was no record in the DNS, i have added the record as per the above help.
After adding the record, i hit the issuance button and it was generated successfully and i check it through:
https://www.sslshopper.com/ssl-checker.html#hostname=win02.247workinghost.com

Perfect!
Thanks to all

2 Likes
closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.