While processing CAA for mydomain DNS problem(but i don't have): query timed out looking up CAA

My domain is:
project-why.bloc.net, project-a.bloc.net, rogeriotest.bloc.net
I ran this command:
certbot -n certonly --manual --test-cert
–expand --no-eff-email --renew-with-new-domains --break-my-certs --manual-public-ip-logging-ok --preferred-challenges=http --email admin@test.te
–config-dir {srcdir}/letsencrypt \ --work-dir {srcdir}/lib
–logs-dir {srcdir}/logs/letsencrypt \ --manual-auth-hook {srcdir}/authenticator.sh
–manual-cleanup-hook {srcdir}/cleanup.sh \ --deploy-hook {srcdir}/deploy.sh
-d project-why.bloc.net,project-a.bloc.net,rogeriotest.bloc.net
It produced this output:

  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for rogeriotest.bloc.net: DNS problem: query timed out looking up CAA for rogeriotest.bloc.net",
  "status": 403,
  "identifier": {
    "type": "dns",
    "value": "rogeriotest.bloc.net"
  }
},
{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for project-a.bloc.net: DNS problem: query timed out looking up CAA for project-a.bloc.net",
  "status": 403,
  "identifier": {
    "type": "dns",
    "value": "project-a.bloc.net"
  }
},
{
  "type": "urn:ietf:params:acme:error:caa",
  "detail": "Error finalizing order :: While processing CAA for project-why.bloc.net: DNS problem: query timed out looking up CAA for project-why.bloc.net",
  "status": 403,
  "identifier": {
    "type": "dns",
    "value": "project-why.bloc.net"

My web server is (include version):
IIS 7

The operating system my web server runs on is (include version):
Windows 2016

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.1.0

but i tried to check by myself
dig bloc.net ns

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> bloc.net ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42624
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;bloc.net. IN NS

;; ANSWER SECTION:
bloc.net. 21599 IN NS ns3.hyp.net.
bloc.net. 21599 IN NS ns2.hyp.net.
bloc.net. 21599 IN NS ns1.hyp.net.

;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 12 08:07:03 CET 2020
;; MSG SIZE rcvd: 95

host -t CAA bloc.net ns3.hyp.net
Using domain server:
Name: ns3.hyp.net
Address: 151.249.126.3#53
Aliases:

bloc.net has no CAA record

host -t CAA rogeriotest.bloc.net ns3.hyp.net
Using domain server:
Name: ns3.hyp.net
Address: 151.249.126.3#53
Aliases:

rogeriotest.bloc.net is an alias for webfarm1.bloc.net.

host -t CAA webfarm1.bloc.net ns3.hyp.net
Using domain server:
Name: ns3.hyp.net
Address: 151.249.126.3#53
Aliases:

webfarm1.bloc.net has no CAA record

i don’t get any error related with time out

can you show us your dns panel?

(something tells me they’re not mentioning CAA here for a reason.)

(I don’t like your registrar: their prices are obviously promotional and for the first year, and I can’t find renewal prices)

i don’t have access but i asked owner to show me dns pannel :wink:
how we can check this on LE side? do they have some support ?

this is the community, this is the support :smiley:

when did you last run that command? is it possible it was just a transient error?

last time i run command yesterday and today in the morning
several weeks ago i didn’t have any problem

for example i have sub-domain salongenonline.no(tried to get certs yesterday) with the same registrar and any problem

ok, check your dns. it might be misconfiguration, but also can be you provider.

(I found the pricing list, they seem suspiciously low: .eu for 4€/y? what’s the catch?)

don’t know :slight_smile maybe some local service

i’m waiting zone list

can it be some LE issues ?

possible, but highly improbable.

2020-03-12 08:19:04,929:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
sys.exit(main())
File “/usr/local/lib/python3.6/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py”, line 1351, in main
return config.func(config, plugins)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py”, line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py”, line 360, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File “/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py”, line 292, in obtain_certificate_from_csr
orderr = self.acme.finalize_order(orderr, deadline)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 900, in finalize_order
return self.client.finalize_order(orderr, deadline)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 748, in finalize_order
self._post(orderr.body.finalize, wrapped_csr)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 95, in _post
return self.net.post(*args, **kwargs)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 1171, in post
return self._post_once(*args, **kwargs)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 1184, in _post_once
response = self._check_response(response, content_type=content_type)
File “/usr/local/lib/python3.6/site-packages/acme/client.py”, line 1042, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for “project-why.bloc.net” and 69 more identifiers failed. Refer to sub-problems for more information
2020-03-12 08:19:04,931:ERROR:certbot._internal.log:An unexpected error occurred:
2020-03-12 08:19:04,931:ERROR:certbot._internal.log:Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for “project-why.bloc.net” and 69 more identifiers failed. Refer to sub-problems for more information

maybe it can show more

this is the issue.

if you want a let’s encrypt certificate you’ll have to edit the CAA record (or add an additional one)

See also: https://letsencrypt.org/docs/caa/

Sometimes CAA queries time out. That is, the authoritative name server never replies with an answer at all, even after multiple retries. Most commonly this happens when your nameserver has a misconfigured firewall in front of it that drops DNS queries with unknown qtypes. File a support ticket with your DNS provider and ask them if they have such a firewall configured.

yes! i read this! but why it worked several weeks ago!

Hi @maxi4

there is a check of your domain - https://check-your-website.server-daten.de/?q=project-why.bloc.net#caa

There is no error visible. But that

2020-03-12.project-why.bloc.net

There are no ip addresses found. And the part with project-why.bloc.net is missing.

Rechecked bloc.net with unboundtest there are Connection refused - answers:

https://unboundtest.com/m/CAA/bloc.net/3GIUTZ6P

Mar 12 13:52:51 unbound[5527:0] info: query response was NXDOMAIN ANSWER
Mar 12 13:52:51 unbound[5527:0] error: tcp connect: Connection refused for 2a01:5b40:ac1::1 port 53
Mar 12 13:52:52 unbound[5527:0] info: response for bloc.net. DNSKEY IN
Mar 12 13:52:52 unbound[5527:0] info: reply from <bloc.net.> 2a01:5b40:ac3::1#53
Mar 12 13:52:52 unbound[5527:0] info: query response was ANSWER
Mar 12 13:52:52 unbound[5527:0] error: tcp connect: Connection refused for 2a01:5b40:ac1::1 port 53
Mar 12 13:52:52 unbound[5527:0] info: Capsforid: timeouts, starting fallback
Mar 12 13:52:52 unbound[5527:0] error: tcp connect: Connection refused for 2a01:5b40:ac1::1 port 53
Mar 12 13:52:53 unbound[5527:0] info: response for bloc.net. DNSKEY IN

Looks like your dns server / ipv6 is buggy. Or there is a blocking firewall. If it’s the name server of your provider, your provider must fix that.

thanks very much for help! hope it will be fixed :smiley: