V1 API: CAA error oddity


#1
> curl https://acme-staging.api.letsencrypt.org/acme/authz/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8 | dejsonify
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1528  100  1528    0     0   5793      0 --:--:-- --:--:-- --:--:--  5787
---
challenges:
  -
    status: invalid
    token: f_pTnyCo4CxluGWVJf3xR3dOBYLIkuQsH5C1F52N1Ww
    type: dns-01
    uri: https://acme-staging.api.letsencrypt.org/acme/challenge/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8/193468363
  -
    status: invalid
    token: 1MqufdU4z7Dvx7uu3nAsbELfToPYjflw5XJ18KRemVY
    type: tls-alpn-01
    uri: https://acme-staging.api.letsencrypt.org/acme/challenge/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8/193468364
  -
    error:
      detail: CAA record for americangradual.org prevents issuance
      status: 403
      type: urn:acme:error:caa
    status: invalid
    token: NcQImsHbvL_fjNBdtnR1kTi-UhEgWun2qTu3X9ZwlBU
    type: http-01
    uri: https://acme-staging.api.letsencrypt.org/acme/challenge/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8/193468365
    validationRecord:
      -
        addressUsed: 67.227.147.204
        addressesResolved:
          - 67.227.147.204
        hostname: americangradual.org
        port: 80
        url: http://americangradual.org/.well-known/acme-challenge/NcQImsHbvL_fjNBdtnR1kTi-UhEgWun2qTu3X9ZwlBU
combinations:
  -
    - 1
  -
    - 2
  -
    - 0
expires: 2018-11-15T19:58:55Z
identifier:
  type: dns
  value: americangradual.org
status: invalid

Is it by design that the error appears only in the challenge that I actually attempted? It would seem to me it should appear in all of them.


#2

That’s expected. We only attempted to validate one challenge, and as part of that validation we also opportunistically checked CAA.


#3

It just seems strange that the dns-01 challenge object (for example) says it‘s invalid but doesn’t indicate why.


#4

Yep, I get that. In Boulder’s implementation, once one challenge for an authorization has been attempted and failed, the whole authorization becomes invalid.


#5

When an authz is marked invalid, are all of the challenges marked invalid?


#6

Yes, they are all marked invalid.


#7

Interesting. I’d never noticed. I guess if the authz has been found invalid there’s no logic in labeling the challenges as “pending”, but “invalid” without an explanation seems weird, too.

Anyhow, thanks!