Trouble with Issuing Certs Due CAA

Server
1

Hello,

I am having problems renewing certificates, my site shows that SERVFAIL looking up CAA for www.uneschewed.com

Performing the following challenges:
http-01 challenge for www.uneschewed.com
Waiting for verification…
Challenge failed for domain www.uneschewed.com
http-01 challenge for www.uneschewed.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

Do I need to place something into the CAA records for my domains?

2

The problem seems to be with DNSSEC.
https://letsdebug.net/www.uneschewed.com/30063
http://dnsviz.net/d/www.uneschewed.com/dnssec/

3

Hi @Uneschewed

looks like you have already fixed the problem.

There is a new Letsencrypt certificate ( https://check-your-website.server-daten.de/?q=uneschewed.com ).

CN=uneschewed.com
	23.03.2019
	22.06.2019
expires in 90 days	uneschewed.com - 1 entry

The tool doesn't see a DNSSEC error, perhaps it was a temporary problem.

But you should create one certificate with both domain names.

And there are a lot of cPanel-certificates.

4

PS: No, I see the same problem (didn’t read the output complete).

There is an NSEC that confirms that no www version exists.

www.uneschewed.com
	DS-Query in the parent zone has a valid NSEC RR as result with the domain name between the NSEC-Owner and the NextOwner. So the parent zone confirmes the non-existence of a DS RR.

But you have created a www entry.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
uneschewed.com A 50.23.147.3 yes 1 0
AAAA yes
www.uneschewed.com A 50.23.147.3 yes 1 0
AAAA yes

So it looks that your DNSSEC isn’t updated.

2 Likes
5

There’s a wildcard A record, and also an NSEC record saying that no subdomains – the wildcard, www or anything else – exist.

Epik needs to run sudo pdnsutil rectify-zone uneschewed.com – or sudo pdnsutil rectify-all-zones and ensure that zones are automatically rectified in the future.

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.