Unable to create cert


#1

My domain is:
decserv.tplinkdns.com
I ran this command:
sudo -H ./letsencrypt-auto certonly --standalone -d decserv.tplinkdns.com -d decserv.tplinkdns.com
It produced this output:


(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for decserv.tplinkdns.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. decserv.tplinkdns.com (http-01): urn:ietf:params :acme:error:caa :: CAA record for decserv.tplinkdns.com prevents issuance

IMPORTANT NOTES:

  • The following errors were reported by the server:
    Plugins selected: Authenticator standalone, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for decserv.tplinkdns.com
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. decserv.tplinkdns.com (http-01): urn:ietf:params:acme:error:caa :: CAA record for decserv.tplinkdns.com prevents issuance

IMPORTANT NOTES:

My web server is (include version):
na
The operating system my web server runs on is (include version):
na
My hosting provider, if applicable, is:
tplinkdns.com
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi @boomramada

your dns server looks broken.

Checked with

https://sslmate.com/caa/

there the “Load Current Policy” - option.

Answer:

decserv.tplinkdns.com has broken DNS servers that do not handle CAA properly: DNS server returned a malformed DNS response


#3

Hi
Is there is a way to fix it?


#4

Whoever operates the tplinkdns.com DNS servers needs to fix their software.

If that’s not you, all you can do is contact them, and use another DNS service in the meantime.

Oddly enough, there are other certificates issued as recently as this week, so it must have worked before:

https://crt.sh/?q=%tplinkdns.com


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.