V1 API: CAA error oddity

> curl https://acme-staging.api.letsencrypt.org/acme/authz/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8 | dejsonify
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1528  100  1528    0     0   5793      0 --:--:-- --:--:-- --:--:--  5787
    status: invalid
    token: f_pTnyCo4CxluGWVJf3xR3dOBYLIkuQsH5C1F52N1Ww
    type: dns-01
    uri: https://acme-staging.api.letsencrypt.org/acme/challenge/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8/193468363
    status: invalid
    token: 1MqufdU4z7Dvx7uu3nAsbELfToPYjflw5XJ18KRemVY
    type: tls-alpn-01
    uri: https://acme-staging.api.letsencrypt.org/acme/challenge/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8/193468364
      detail: CAA record for americangradual.org prevents issuance
      status: 403
      type: urn:acme:error:caa
    status: invalid
    token: NcQImsHbvL_fjNBdtnR1kTi-UhEgWun2qTu3X9ZwlBU
    type: http-01
    uri: https://acme-staging.api.letsencrypt.org/acme/challenge/4R22E4xPtxFf7jhMgEdwvr6ZDFpc3YYP_hPT1tKuJv8/193468365
        hostname: americangradual.org
        port: 80
        url: http://americangradual.org/.well-known/acme-challenge/NcQImsHbvL_fjNBdtnR1kTi-UhEgWun2qTu3X9ZwlBU
    - 1
    - 2
    - 0
expires: 2018-11-15T19:58:55Z
  type: dns
  value: americangradual.org
status: invalid

Is it by design that the error appears only in the challenge that I actually attempted? It would seem to me it should appear in all of them.


That’s expected. We only attempted to validate one challenge, and as part of that validation we also opportunistically checked CAA.


It just seems strange that the dns-01 challenge object (for example) says it‘s invalid but doesn’t indicate why.


Yep, I get that. In Boulder’s implementation, once one challenge for an authorization has been attempted and failed, the whole authorization becomes invalid.


When an authz is marked invalid, are all of the challenges marked invalid?


Yes, they are all marked invalid.


Interesting. I’d never noticed. I guess if the authz has been found invalid there’s no logic in labeling the challenges as “pending”, but “invalid” without an explanation seems weird, too.

Anyhow, thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.