Let's Encrypt and CAA records

P

Protected

Verified User
Joined
Oct 29, 2006
Messages
77
I'm on DA 1.51.4, running on Debian 8.

Let's Encrypt appears to have stopped working entirely on my server:

Code: 
Getting challenge for example.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: DNS problem: SERVFAIL looking up CAA for example.com. Exiting...

From what I could gather, this is happening because Let's Encrypt began enforcing a change that has been in a transitional period for a long time, and DA is not ready for it. CAA support appears to have been added in the current version:

https://directadmin.com/features.php?id=1932

But for some reason it has to be manually and separately enabled and those other changes applied, meaning Let's Encrypt can no longer work at all by default and without cumbersome manual steps?

Can someone explain to me exactly what should be done to get Let's Encrypt to work again on a previously existing installation and domains? Thanks.

EDIT: It seems like the record must be added to each and every domain? Manually?
 
Last edited:
I don't understand while in the link it say:

If you don’t care about CAA, you generally don’t have to do anything (but see CAA errors below)
Click to expand...

But your error is
Challenge is invalid. Details: DNS problem: SERVFAIL looking up CAA for example.com. Exiting..
Click to expand...

So letsencrypt has and error and not working for you, some others also ????

Which letsencrypt version and custombuild versionnr ( 2 version......? )

CAA errors

Since Let’s Encrypt checks CAA records before every certificate we issue, sometimes we get errors even for domains that haven’t set any CAA records. When we get an error, there’s no way to tell whether we are allowed to issue for the affected domain, since there could be CAA records present that forbid issuance, but are not visible because of the error.

If you receive CAA-related errors, try a few more times against our staging environment to see if they are temporary or permanent. If they are permanent, you will need to file a support issue with your DNS provider, or switch providers. If you’re not sure who your DNS provider is, ask your hosting provider.

Some DNS providers that are unfamiliar with CAA initially reply to problem reports with “We do not support CAA records.” Your DNS provider does not need to specifically support CAA records; it only needs to reply with a NOERROR response for unknown query types (including CAA). Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.
Click to expand...
 
Last edited:
I think Let's Encrypt used to ignore SERVFAIL quietly, but no longer (or maybe they're still rolling that out).

https://community.letsencrypt.org/t/caa-servfail-changes/38298

My DNS provider is myself, and DNS is managed by DirectAdmin entirely; I would expect DirectAdmin to work properly in this instance. I mean, DA has explicit Let's Encrypt integration; It can assert for sure that only Let's Encrypt should be able to issue a certificate for a domain where Let's Encrypt is enabled internally. So it should manage the CAA records for such domains automatically.

server /usr/local/directadmin/custombuild # ./build version
2.0.0 (rev: 1669)
 
Figured the cause of the error being SERVFAIL: Some stuff was missing from an upstream domain (the certificate was for a "subdomain"-type domain). This fixes Let's Encrypt renewals for my situation.

My confusion at the lack of automated CAA records remains; should I submit it somewhere as a feature request?
 
https://www.directadmin.com/features.php?id=1932

Check that out , its already a feature , i do believe this is for new domains added after the adjustment though , adding it to domains already on the server is another issue, maybe an echo command or some perl command might do the job , not found a solution myself. so let me know :)
 
What if my client has domain on different hosting and only created record "A" with IP to my server? SSL was created successfully 3 months ago but now when it tries to renew it's "Challenge is invalid. Details: DNS problem: SERVFAIL looking up CAA for domain.com. Exiting..."

I did in directadmin.conf dns_caa=1, but error still appears, what should we do??
 
Protected said:
Figured the cause of the error being SERVFAIL: Some stuff was missing from an upstream domain (the certificate was for a "subdomain"-type domain). This fixes Let's Encrypt renewals for my situation.
Click to expand...
I have got the same problem for a subdomain. How did you solve it?
 
You must log in or register to reply here.
Back
Top