Unable to create cert

boomramada · October 4, 2018, 11:13am

My domain is:
decserv.tplinkdns.com
I ran this command:
sudo -H ./letsencrypt-auto certonly --standalone -d decserv.tplinkdns.com -d decserv.tplinkdns.com
It produced this output:

(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for decserv.tplinkdns.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. decserv.tplinkdns.com (http-01): urn:ietf:params :acme:error:caa :: CAA record for decserv.tplinkdns.com prevents issuance

IMPORTANT NOTES:

The following errors were reported by the server:
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for decserv.tplinkdns.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. decserv.tplinkdns.com (http-01): urn:ietf:params:acme:error:caa :: CAA record for decserv.tplinkdns.com prevents issuance

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: decserv.tplinkdns.com
Type: None
Detail: CAA record for decserv.tplinkdns.com prevents issuance

My web server is (include version):
na
The operating system my web server runs on is (include version):
na
My hosting provider, if applicable, is:
tplinkdns.com
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

JuergenAuer · October 4, 2018, 11:23am

Hi @boomramada

your dns server looks broken.

Checked with

https://sslmate.com/caa/

there the "Load Current Policy" - option.

Answer:

decserv.tplinkdns.com has broken DNS servers that do not handle CAA properly: DNS server returned a malformed DNS response

boomramada · October 4, 2018, 11:35am

Hi
Is there is a way to fix it?

mnordhoff · October 4, 2018, 11:39am

Whoever operates the tplinkdns.com DNS servers needs to fix their software.

If that’s not you, all you can do is contact them, and use another DNS service in the meantime.

Oddly enough, there are other certificates issued as recently as this week, so it must have worked before:

https://crt.sh/?q=tplinkdns.com

system · November 3, 2018, 11:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.