Timeouts looking up CAA for my domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: acme.tastylime.net

I ran this command:the acme-dns server

It produced this output:

time="2024-08-18T22:48:58Z" level=debug msg="Answering question for domain" domain=ACmE.tAstYLiMe.neT. qtype=CAA rcode=NOERROR
1.724021344449475e+09 error acme_client challenge failed {"identifier": "acme.tastylime.net", "challenge_type": "dns-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: query timed out looking up CAA for acme.tastylime.net", "instance": "", "subproblems": }}
1.7240213444498343e+09 error acme_client validating authorization {"identifier": "acme.tastylime.net", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: query timed out looking up CAA for acme.tastylime.net", "instance": "", "subproblems": }, "order": "https://acme-staging-v02.api.letsencrypt.org/acme/order/159886473/18497960303", "attempt": 1, "max_attempts": 3}
1.7240213444499683e+09 error obtain could not get certificate from issuer {"identifier": "acme.tastylime.net", "issuer": "acme-staging-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: query timed out looking up CAA for acme.tastylime.net"}
1.7240213444500387e+09 error obtain will retry {"error": "[acme.tastylime.net] Obtain: [acme.tastylime.net] solving challenge: acme.tastylime.net: [acme.tastylime.net] authorization failed: HTTP 400 urn:ietf:params:acme:error:dns - DNS problem: query timed out looking up CAA for acme.tastylime.net (ca=https://acme-staging-v02.api.letsencrypt.org/directory)", "attempt": 5, "retrying_in": 600, "elapsed": 755.182194467, "max_duration": 2592000}

My web server is (include version):
Not relevant

The operating system my web server runs on is (include version):
NetBSD 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

acme-dns v0.8

Hi @riz94107,

Here is what unboundtest.com sees https://unboundtest.com/m/CAA/acme.tastylime.net/OQQLZ6NA

And letsdebug.net is revealing HTTP-01 https://letsdebug.net/acme.tastylime.net/2183487

I just want to provide some context: I've been using this setup for solving dns-01 since 2020, and I just happened to discover this issue on my machine running acme-dns while trying to get certs for a new domain.

Apparently, the cert for this server was last issued on May 13:
-rw------- 1 root users 3328 May 13 02:55 acme.tastylime.net.crt

The errors I'm getting are apparently because letsencrypt is timing out while looking up CAA records for acme.tastylime.net - as far as I know, I've never set up CAA records - is this a new requirement?

The logs above show output after I switched to staging for repeated testing - which errors out in the same way. As far as I know, I haven't changed anything - and I'm worried because my actual certs are probably going to start expiring soon.

Any suggestions for what to do? I'm pretty confused, but I do have full control of my DNS.

And the DNS-01 challenge seems ok here https://letsdebug.net/acme.tastylime.net/2183498

Hm. I've never used HTTP-01 (that I can recall) on this host; I agree that DNS-01 largely works (certainly used to), except for the part where I get an error in the logs saying the CAA lookup timed out and no new cert.

The web server/dns server here is GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. ; I just updated it to the latest version to see if it would fix anything, but no dice.

The latest version seems to be 3.07 GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

That's acme.sh, not acme-dns

Sorry!

Looking further, it looks like staging may have actually issued a cert a little while ago. I may try switching back to prod, though I think I hit the rate limit

Is up to 1.0

You're right; 1.0 is actually what I just upgraded to (not sure why I thought it was 0.8)

Yeah, I switched back and it looks like the issue is still there. I see lots of lookups like this:

time="2024-08-18T23:16:58Z" level=debug msg="Answering question for domain" domain=acme.tastylime.net. qtype=CAA rcode=NOERROR

but also errors like this:

Now for just the domain name tastylime.net unboundtest shows https://unboundtest.com/m/CAA/tastylime.net/Z3VLTGKI

Query results for CAA tastylime.net

Response:
;; opcode: QUERY, status: NOERROR, id: 30006
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 1232

;; QUESTION SECTION:
;tastylime.net.	IN	 CAA

;; AUTHORITY SECTION:
tastylime.net.	0	IN	SOA	boogers.sf.ca.us. postmaster.boogers.sf.ca.us. 2024081800 10800 1800 3600000 300

----- Unbound logs -----
Aug 18 23:17:43 unbound[3037:0] debug: creating udp6 socket ::1 1053
Aug 18 23:17:43 unbound[3037:0] debug: creating tcp6 socket ::1 1053
Aug 18 23:17:43 unbound[3037:0] debug: creating udp4 socket 127.0.0.1 1053
Aug 18 23:17:43 unbound[3037:0] debug: creating tcp4 socket 127.0.0.1 1053
Aug 18 23:17:43 unbound[3037:0] debug: chdir to .

Right - if I'm reading those right, it's correctly showing no CAA record for tastylime.net. Looking at the one for acme.tastylime.net again, I see now (didn't see it at first) that it seems to be timing out (which would explain the whole problem)

I guess I get to figure out how to troubleshoot that; I do see what appear to be successful queries, but perhaps something else is going on.

Thanks for your help; this at least points me somewhere.

A CAA record is not required but Let's Encrypt must look for them to be sure it is allowed to issue a cert for your domain.

It has to walk your entire tree to look at each level and this can be a lot of queries. Sometimes it is hard to know what piece is slow given the timeout is for the entire process.

That said, we commonly use dnsviz and it shows a problem with your AAAA glue record. And, udp that is very slow as a result. Does this help identify your DNS problem?

https://dnsviz.net/d/acme.tastylime.net/dnssec/

I could certainly believe a AAAA problem - I'll look that over

I haven't fixed the AAAA record, but sure enough, when I remove it (and use IPv4 only) things seem to have magically started working.

I can take it from here - thanks a TON for all the help.