CAA record prevents issuing the certificate: "letsencrypt.org"

M

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
I am getting this error in my ticket system:

Code: 
Error during automated certificate renewal for mattie-systems.nl
2020-7-27 00:10
CAA record prevents issuing the certificate: "letsencrypt.org"

However I DO have a CAA set. This is dig output from an other host not related to my VPS

Code: 
[x@x ~]$ dig CAA mattie-systems.nl

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.7 <<>> CAA mattie-systems.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44996
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mattie-systems.nl.             IN      CAA

;; ANSWER SECTION:
mattie-systems.nl.      300     IN      CAA     0 issue "letsencrypt.org"
mattie-systems.nl.      300     IN      CAA     0 iodef "mailto:<masked for spam bots>"

;; Query time: 45 msec
;; SERVER: 213.189.29.187#53(213.189.29.187)
;; WHEN: Mon Jul 27 19:32:58 2020
;; MSG SIZE  rcvd: 116

[x@x ~]$ dig CAA vps.mattie-systems.nl

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.7 <<>> CAA vps.mattie-systems.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 610
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vps.mattie-systems.nl.         IN      CAA

;; ANSWER SECTION:
vps.mattie-systems.nl.  14400   IN      CAA     0 issue "letsencrypt.org"

;; Query time: 167 msec
;; SERVER: 89.104.166.219#53(89.104.166.219)
;; WHEN: Mon Jul 27 19:33:03 2020
;; MSG SIZE  rcvd: 73

When I manually renew the certificate it seem to work fine:

Code: 
root@vps:~# /usr/local/directadmin/scripts/letsencrypt.sh renew mattie-systems.nl 4096
Requesting new certificate order...
[..]
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345...
Processing authorization for mattie-systems.nl...
Challenge is valid.
[..]
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/12345...
Processing authorization for vps.mattie-systems.nl...
Challenge is valid.
[..]
Generating 4096 bit RSA key for mattie-systems.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/mattie-systems.nl.key.new"
Generating RSA private key, 4096 bit long modulus
[..]
Checking Certificate Private key match... Match!
Certificate for mattie-systems.nl has been created successfully!

Any ideas? This is the 2nd time, a few months ago (I guess during the previous renewal) I simply run it manually but I don't want to do that every time :)
 
Your CAA record looks correct at least. The first error message, does that come directly from Let's Encrypt, or is it generated in the DirectAdmin scripts?
 
This is just the output I get in the message system, not sure if it is DA or letsencrypt.

89211-capture.png
 
for your reference, our dns record for CAA :
Code: 
@ CAA 14400  0 issue "letsencrypt.org"
 
Yeah thanks, that is exactly what I have so I am not really sure what is wrong here.
 
Thanks for the suggestion but it seems my DNSSEC is correctly:

DNSSEC Debugger - mattie-systems.nl

The DNSSEC Debugger from VeriSign Labs is an on-line tool to assist with diagnosing problems with DNSSEC-signed names and zones.
dnssec-analyzer.verisignlabs.com

So that is not the case I assume.
 
Dear.
I have a problem install let's encrypt for my domains other than the default / main domain with a note "Could not execute your request
CAA record prevents issuing the certificate: SERVFAIL ".

How do I get all domains to get a let's encrypt certificate ..?
Thank you
 
You must log in or register to reply here.
Back
Top