While processing CAA for mydomain DNS problem(but i don't have): query timed out looking up CAA

maxi4 · March 12, 2020, 8:16am

My domain is:
project-why.bloc.net, project-a.bloc.net, rogeriotest.bloc.net
I ran this command:
certbot -n certonly --manual --test-cert
–expand --no-eff-email --renew-with-new-domains --break-my-certs --manual-public-ip-logging-ok --preferred-challenges=http --email admin@test.te
–config-dir {srcdir}/letsencrypt \ --work-dir {srcdir}/lib
–logs-dir {srcdir}/logs/letsencrypt \ --manual-auth-hook {srcdir}/authenticator.sh
–manual-cleanup-hook {srcdir}/cleanup.sh \ --deploy-hook {srcdir}/deploy.sh
-d project-why.bloc.net,project-a.bloc.net,rogeriotest.bloc.net
It produced this output:

  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for rogeriotest.bloc.net: DNS problem: query timed out looking up CAA for rogeriotest.bloc.net",
  "status": 403,
  "identifier": {
    "type": "dns",
    "value": "rogeriotest.bloc.net"
  }
},
{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for project-a.bloc.net: DNS problem: query timed out looking up CAA for project-a.bloc.net",
  "status": 403,
  "identifier": {
    "type": "dns",
    "value": "project-a.bloc.net"
  }
},
{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for project-why.bloc.net: DNS problem: query timed out looking up CAA for project-why.bloc.net",
  "status": 403,
  "identifier": {
    "type": "dns",
    "value": "project-why.bloc.net"

My web server is (include version):
IIS 7

The operating system my web server runs on is (include version):
Windows 2016

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.1.0

but i tried to check by myself
dig bloc.net ns

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> bloc.net ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42624
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bloc.net. IN NS

;; ANSWER SECTION:
bloc.net. 21599 IN NS ns3.hyp.net.
bloc.net. 21599 IN NS ns2.hyp.net.
bloc.net. 21599 IN NS ns1.hyp.net.

;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 12 08:07:03 CET 2020
;; MSG SIZE rcvd: 95

host -t CAA bloc.net ns3.hyp.net
Using domain server:
Name: ns3.hyp.net
Address: 151.249.126.3#53
Aliases:

bloc.net has no CAA record

host -t CAA rogeriotest.bloc.net ns3.hyp.net
Using domain server:
Name: ns3.hyp.net
Address: 151.249.126.3#53
Aliases:

rogeriotest.bloc.net is an alias for webfarm1.bloc.net.

host -t CAA webfarm1.bloc.net ns3.hyp.net
Using domain server:
Name: ns3.hyp.net
Address: 151.249.126.3#53
Aliases:

webfarm1.bloc.net has no CAA record

i don’t get any error related with time out

9peppe · March 12, 2020, 9:45am

can you show us your dns panel?

(something tells me they’re not mentioning CAA here for a reason.)

(I don’t like your registrar: their prices are obviously promotional and for the first year, and I can’t find renewal prices)

maxi4 · March 12, 2020, 10:05am

i don’t have access but i asked owner to show me dns pannel
how we can check this on LE side? do they have some support ?

9peppe · March 12, 2020, 10:26am

this is the community, this is the support

when did you last run that command? is it possible it was just a transient error?

maxi4 · March 12, 2020, 10:42am

last time i run command yesterday and today in the morning
several weeks ago i didn’t have any problem

for example i have sub-domain salongenonline.no(tried to get certs yesterday) with the same registrar and any problem

9peppe · March 12, 2020, 10:45am

ok, check your dns. it might be misconfiguration, but also can be you provider.

(I found the pricing list, they seem suspiciously low: .eu for 4€/y? what’s the catch?)

maxi4 · March 12, 2020, 10:47am

don’t know :slight_smile maybe some local service

maxi4 · March 12, 2020, 10:48am

i’m waiting zone list

maxi4 · March 12, 2020, 10:50am

can it be some LE issues ?

9peppe · March 12, 2020, 10:52am

possible, but highly improbable.

maxi4 · March 12, 2020, 12:03pm

2020-03-12 08:19:04,929:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
sys.exit(main())
File “/usr/local/lib/python3.6/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py”, line 1351, in main
return config.func(config, plugins)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py”, line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py”, line 360, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py”, line 292, in obtain_certificate_from_csr
orderr = self.acme.finalize_order(orderr, deadline)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 900, in finalize_order
return self.client.finalize_order(orderr, deadline)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 748, in finalize_order
self._post(orderr.body.finalize, wrapped_csr)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 95, in _post
return self.net.post(*args, **kwargs)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 1171, in post
return self._post_once(*args, **kwargs)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 1184, in _post_once
response = self._check_response(response, content_type=content_type)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 1042, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for “project-why.bloc.net” and 69 more identifiers failed. Refer to sub-problems for more information
2020-03-12 08:19:04,931:ERROR:certbot._internal.log:An unexpected error occurred:
2020-03-12 08:19:04,931:ERROR:certbot._internal.log:Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for “project-why.bloc.net” and 69 more identifiers failed. Refer to sub-problems for more information

maybe it can show more

9peppe · March 12, 2020, 12:40pm

this is the issue.

if you want a let's encrypt certificate you'll have to edit the CAA record (or add an additional one)

See also: Certificate Authority Authorization (CAA) - Let's Encrypt

Sometimes CAA queries time out. That is, the authoritative name server never replies with an answer at all, even after multiple retries. Most commonly this happens when your nameserver has a misconfigured firewall in front of it that drops DNS queries with unknown qtypes. File a support ticket with your DNS provider and ask them if they have such a firewall configured.

maxi4 · March 12, 2020, 1:49pm

yes! i read this! but why it worked several weeks ago!

JuergenAuer · March 12, 2020, 1:59pm

Hi @maxi4

there is a check of your domain - https://check-your-website.server-daten.de/?q=project-why.bloc.net#caa

There is no error visible. But that

2020-03-12.project-why.bloc.net

There are no ip addresses found. And the part with project-why.bloc.net is missing.

Rechecked bloc.net with unboundtest there are Connection refused - answers:

https://unboundtest.com/m/CAA/bloc.net/3GIUTZ6P

Mar 12 13:52:51 unbound[5527:0] info: query response was NXDOMAIN ANSWER
Mar 12 13:52:51 unbound[5527:0] error: tcp connect: Connection refused for 2a01:5b40:ac1::1 port 53
Mar 12 13:52:52 unbound[5527:0] info: response for bloc.net. DNSKEY IN
Mar 12 13:52:52 unbound[5527:0] info: reply from <bloc.net.> 2a01:5b40:ac3::1#53
Mar 12 13:52:52 unbound[5527:0] info: query response was ANSWER
Mar 12 13:52:52 unbound[5527:0] error: tcp connect: Connection refused for 2a01:5b40:ac1::1 port 53
Mar 12 13:52:52 unbound[5527:0] info: Capsforid: timeouts, starting fallback
Mar 12 13:52:52 unbound[5527:0] error: tcp connect: Connection refused for 2a01:5b40:ac1::1 port 53
Mar 12 13:52:53 unbound[5527:0] info: response for bloc.net. DNSKEY IN

Looks like your dns server / ipv6 is buggy. Or there is a blocking firewall. If it's the name server of your provider, your provider must fix that.

maxi4 · March 12, 2020, 2:01pm

thanks very much for help! hope it will be fixed

system · April 11, 2020, 2:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.