Status 403: CAA record prevents issuance

Hi All,
I'm having trouble getting a LE cert. I have added a CAA records to LE to issue a wildcard cert.
But I get the error "CAA record for dev2.hurstinternal.co.uk prevents issuance".

Can some one please point me in the right direction to troubleshoot ?

Cerbot logs when failing -

[Tue Nov 10 16:52:12 GMT 2020] code='200'
[Tue Nov 10 16:52:12 GMT 2020] original='{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:caa",
"detail": "CAA record for dev2.hurstinternal.co.uk prevents issuance",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8506784895/w2gdqA",
"token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"validationRecord": [
{
"hostname": "dev2.hurstinternal.co.uk"
}
]

2 Likes

I'm not that familiar with CAA, but the hostname for which the error is, isn't a wildcard hostname. I'm guessing you'll need to set both issue as wel as issuewild.

https://sslmate.com/caa/ tells me for a non-wildcard and wildcard cert you just set issue without setting issuewild.

OK, so if I understand the RFC correctly, the issue property is valid for any label, but the issuewild is only valid for wildcard domains. Therefore, any wildcard certificate also containing a regular hostname, would require a valid issue property, as the issuewild wouldn't cover it.

4 Likes

Brilliant !!!.
That cleared the issue.
I changed my caa to

dev2.hurstinternal.co.uk. CAA 0 issue "letsencrypt.org"

Thanks a lot for your help.

5 Likes