I am trying to generate a certificate to accomodate https our internal artifactory. No visibility outside the company. We are using acme.sh to automate the dns_01 challenges on our GoDaddy dns provider. It has always work in the past but now I added a new wildcard *.jfrog-osp.kaloom.io for some redundancy and it does not seem to work.
On our internal dns server, jfrog-osp.kaloom.io is an A record that point to the ip of the server. jforg.kaloom.io is a cname pointing to jfrog-osp.kaloom.io. Not sure this is relevant though.
I was able to generate the equivalent with *.jfrog-ocp.apps.os-sanbox.kaloom.io for out tests on RedHat OpenShift and it worked fine.
I can see the txt record in our dns provider, the script proceeds with validation when I see the propagation using 8.8.8.8 so all seems good. I cannot understand what fails with that validation.
There is this entry in the beginning of the log about pending status for that specific subdomain, not sure if it's normal:
Getting webroot for domain='*.jfrog-osp.kaloom.io'
_w='dns_gd'
_currentRoot='dns_gd'
entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/67807072910/WNcw7A","token":"4utJ3ybuSwpty64qXSKb6j9GL5AHMWqDLIeC9fekFRE"'
My domain is: kaloom.io
I ran this command:
/root/.acme.sh/acme.sh --issue --force --log --dns dns_gd -d kaloom.io -d *.kaloom.io -d *.artifactory.kaloom.io -d *.jfrog-osp.kaloom.io -d *.jfrog-ocp.kaloom.io -d *.jfrog.kaloom.io
It produced this output:
*.jfrog-osp.kaloom.io:Verify error:DNS problem: SERVFAIL looking up CAA for jfrog-osp.kaloom.io - the domain's nameservers may be malfunctioning
My web server is (include version):
It is an internal artifactory site in my company
The operating system my web server runs on is (include version):
Docker instance of artifactory on Centos VM
My hosting provider, if applicable, is:
GoDaddy
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol v2.8.6
Here is an image of the output just before it fails: