Still CAA problem


#1

My domain is zignago.com. Need certificate for cda and cda-iniviti
I use IIS 10.

Letsenrypt for windows returns me:
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:dns
[EROR] [detail] DNS problem: query timed out looking up CAA for cda.zignago.com
[EROR] [status] 400
[EROR] Create certificate failed

I create CAA record in DNS. They seem ok. Error still remains…
I don’t know how to solve it anymore…

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> caa cda.zignago.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6995
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cda.zignago.com. IN CAA

;; ANSWER SECTION:
cda.zignago.com. 2775 IN CAA 0 issue “letsencrypt.org

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu May 10 17:56:33 2018
;; MSG SIZE rcvd: 67

Regards,
Graziano


#2

The dig output you’re posting is from 1.1.1.1, while Let’s Encrypt uses the authoritative servers for your domain (ns.infuturo.it and ns.iunet.it). Neither of those respond to requests for CAA records (try dig @ns.infuturo.it caa cda.zignago.com to see for yourself). And the lack of response is the problem–Let’s Encrypt doesn’t need to see a CAA record, they just need to see the authoritative nameserver respond properly when asked for one.


#3

Graphically: http://dnsviz.net/d/cda.zignago.com/dnssec/


#4

Danb35, I’ve tried. It responds me:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> @ns.infuturo.it caa cda.zignago.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62920
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;cda.zignago.com. IN CAA

;; ANSWER SECTION:
cda.zignago.com. 3600 IN CAA 0 issue “letsencrypt.org

;; AUTHORITY SECTION:
zignago.com. 3600 IN NS ns.infuturo.it.
zignago.com. 3600 IN NS ns.iunet.it.

;; ADDITIONAL SECTION:
ns.infuturo.it. 28800 IN A 192.106.1.9

;; Query time: 10 msec
;; SERVER: 192.106.1.9#53(192.106.1.9)
;; WHEN: Fri May 11 16:11:36 2018
;; MSG SIZE rcvd: 134

It seems ok. Or not???

Regards,
Graziano.


#5

Osiris, what does

cda.zignago.com/CAA: No response was received from the server over UDP (tried 8 times). (192.106.1.1, 192.106.1.9, UDP_0_NOEDNS)

mean?

Regards,
Graziano.


#6

Still not working for me. Is it possible that your ISP’s nameservers don’t respond to DNS requests (or to certain DNS requests) from outside? That would seem like an odd configuration, but it would explain the discrepancy.


#7

Hi @gtartari,

That means your dns servers only answer requests for CAA records via tcp but not udp (at least from my side) and that is clearly wrong.

Using udp:

$ dig @ns.infuturo.it cda.zignago.com caa +short

; <<>> DiG 9.9.7 <<>> @ns.infuturo.it cda.zignago.com caa +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Using tcp:

$ dig @ns.infuturo.it cda.zignago.com caa +short +tcp
0 issue "letsencrypt.org"

Cheers,
sahsanu


#8

Clear, without doubt.

Regards,
Graziano.


#9

Sahsanu,
now I get this response:

[11:01 Tue May 15 ~]$ dig @ns.infuturo.it cda.zignago.com caa +short
0 issue “letsencrypt.org

But letsenrypt cannot query the DNS…

[EROR] [type] urn:acme:error:dns
[EROR] [detail] DNS problem: SERVFAIL looking up CAA for cda.zignago.com
[EROR] [status] 400

Where is the problem??

Regards,
Graziano.


#10

Hi @gtartari,

I don’t know how are your authoritative name servers configured but it fails to answer for CAA records requests over UDP from some countries (it works fine for every country I tried if I request CAA record over TCP or any other record like A over UDP or TCP).

From SPAIN (FAIL):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short

; <<>> DiG 9.9.7 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

From US (OK):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

From UK (FAIL):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short

; <<>> DiG 9.11.1 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

From FRANCE Location 1 (FAIL):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short

; <<>> DiG 9.11.1 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

From FRANCE Location 2 (OK):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

From GERMANY (OK):

$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

Using Google DNS public resolver (FAIL):

$ dig -4 @8.8.8.8 cda.zignago.com caa +notcp

; <<>> DiG 9.11.1 <<>> -4 @8.8.8.8 cda.zignago.com caa +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34055
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cda.zignago.com.               IN      CAA

;; Query time: 2016 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 15 11:34:50 CEST 2018
;; MSG SIZE  rcvd: 44

Using Cloudflare DNS public resolver (OK):

$ dig -4 @1.1.1.1 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"

Using QUAD DNS public resolver (FAIL):

$ dig -4 @9.9.9.9 cda.zignago.com caa +notcp

; <<>> DiG 9.11.1 <<>> -4 @9.9.9.9 cda.zignago.com caa +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2270
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cda.zignago.com.               IN      CAA

;; Query time: 3023 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue May 15 11:35:43 CEST 2018
;; MSG SIZE  rcvd: 44

If you check it using dnsviz you get this problem:

cda.zignago.com/CAA: No response was received from the server over UDP (tried 8 times). (192.106.1.1, 192.106.1.9, UDP_0_NOEDNS)

I don’t know what is going on but there is something strange with your Authoritative DNS Servers.

Good luck,
sahsanu


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.