Still CAA problem

gtartari · May 10, 2018, 3:57pm

My domain is zignago.com. Need certificate for cda and cda-iniviti
I use IIS 10.

Letsenrypt for windows returns me:
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:dns
[EROR] [detail] DNS problem: query timed out looking up CAA for cda.zignago.com
[EROR] [status] 400
[EROR] Create certificate failed

I create CAA record in DNS. They seem ok. Error still remains…
I don’t know how to solve it anymore…

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> caa cda.zignago.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6995
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cda.zignago.com. IN CAA

;; ANSWER SECTION:
cda.zignago.com. 2775 IN CAA 0 issue “letsencrypt.org”

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu May 10 17:56:33 2018
;; MSG SIZE rcvd: 67

Regards,
Graziano

danb35 · May 10, 2018, 4:23pm

The dig output you're posting is from 1.1.1.1, while Let's Encrypt uses the authoritative servers for your domain (ns.infuturo.it and ns.iunet.it). Neither of those respond to requests for CAA records (try dig @ns.infuturo.it caa cda.zignago.com to see for yourself). And the lack of response is the problem--Let's Encrypt doesn't need to see a CAA record, they just need to see the authoritative nameserver respond properly when asked for one.

Osiris · May 10, 2018, 4:38pm

Graphically: http://dnsviz.net/d/cda.zignago.com/dnssec/

gtartari · May 11, 2018, 2:16pm

Danb35, I’ve tried. It responds me:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> @ns.infuturo.it caa cda.zignago.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62920
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cda.zignago.com. IN CAA

;; ANSWER SECTION:
cda.zignago.com. 3600 IN CAA 0 issue “letsencrypt.org”

;; AUTHORITY SECTION:
zignago.com. 3600 IN NS ns.infuturo.it.
zignago.com. 3600 IN NS ns.iunet.it.

;; ADDITIONAL SECTION:
ns.infuturo.it. 28800 IN A 192.106.1.9

;; Query time: 10 msec
;; SERVER: 192.106.1.9#53(192.106.1.9)
;; WHEN: Fri May 11 16:11:36 2018
;; MSG SIZE rcvd: 134

It seems ok. Or not???

Regards,
Graziano.

gtartari · May 11, 2018, 2:18pm

Osiris, what does

cda.zignago.com/CAA: No response was received from the server over UDP (tried 8 times). (192.106.1.1, 192.106.1.9, UDP_0_NOEDNS)

mean?

Regards,
Graziano.

danb35 · May 11, 2018, 2:22pm

Still not working for me. Is it possible that your ISP's nameservers don't respond to DNS requests (or to certain DNS requests) from outside? That would seem like an odd configuration, but it would explain the discrepancy.

sahsanu · May 11, 2018, 2:37pm

Hi @gtartari,

That means your dns servers only answer requests for CAA records via tcp but not udp (at least from my side) and that is clearly wrong.

Using udp:

$ dig @ns.infuturo.it cda.zignago.com caa +short

; <<>> DiG 9.9.7 <<>> @ns.infuturo.it cda.zignago.com caa +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Using tcp:

$ dig @ns.infuturo.it cda.zignago.com caa +short +tcp
0 issue "letsencrypt.org"

Cheers,
sahsanu

gtartari · May 11, 2018, 3:16pm

Clear, without doubt.

Regards,
Graziano.

gtartari · May 15, 2018, 9:07am

Sahsanu,
now I get this response:

[11:01 Tue May 15 ~]$ dig @ns.infuturo.it cda.zignago.com caa +short
0 issue “letsencrypt.org”

But letsenrypt cannot query the DNS…

[EROR] [type] urn:acme:error:dns
[EROR] [detail] DNS problem: SERVFAIL looking up CAA for cda.zignago.com
[EROR] [status] 400

Where is the problem??

Regards,
Graziano.

sahsanu · May 15, 2018, 9:40am

Hi @gtartari,

I don’t know how are your authoritative name servers configured but it fails to answer for CAA records requests over UDP from some countries (it works fine for every country I tried if I request CAA record over TCP or any other record like A over UDP or TCP).

From SPAIN (FAIL):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short

; <<>> DiG 9.9.7 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

From US (OK):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

From UK (FAIL):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short

; <<>> DiG 9.11.1 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

From FRANCE Location 1 (FAIL):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short

; <<>> DiG 9.11.1 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

From FRANCE Location 2 (OK):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

From GERMANY (OK):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

Using Google DNS public resolver (FAIL):

$ dig -4 @8.8.8.8 cda.zignago.com caa +notcp

; <<>> DiG 9.11.1 <<>> -4 @8.8.8.8 cda.zignago.com caa +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34055
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cda.zignago.com.               IN      CAA

;; Query time: 2016 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 15 11:34:50 CEST 2018
;; MSG SIZE  rcvd: 44

Using Cloudflare DNS public resolver (OK):

$ dig -4 @1.1.1.1 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

Using QUAD DNS public resolver (FAIL):

$ dig -4 @9.9.9.9 cda.zignago.com caa +notcp

; <<>> DiG 9.11.1 <<>> -4 @9.9.9.9 cda.zignago.com caa +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2270
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cda.zignago.com.               IN      CAA

;; Query time: 3023 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue May 15 11:35:43 CEST 2018
;; MSG SIZE  rcvd: 44

If you check it using dnsviz you get this problem:

cda.zignago.com/CAA: No response was received from the server over UDP (tried 8 times). (192.106.1.1, 192.106.1.9, UDP_0_NOEDNS)

I don’t know what is going on but there is something strange with your Authoritative DNS Servers.

Good luck,
sahsanu

system · June 14, 2018, 9:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.