Error during automated certificate renewal - CAA record prevents issuing the certificate

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
A couple of days ago I first got this message. Now trying to debug but I can't find the problem.

1620905010994.png


The certificates should be requested through the system hostname `vps.xx.nl` As you can see it is setup like that:

1620905070369.png


However I do have the CCA configured, I also did it on both the hostname (that has a separate DNS entry) and the domain itself. You can see it on:

1620905161691.png

1620905176674.png

So I don't really understand the error.

If I run the renew command manually I do see this error:
1620905240545.png


But yeah it worked before and I did not made any changes as far as I know. Any ideas?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,956
Location
Maastricht
Why do you use a CAA DNS record for your hostname? Have you tried removing it and then trying to renew?
I'm not sure but my guess is CAA records are for domain names and subdomains, not for hostnames.

Or else maybe this can help?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,956
Location
Maastricht
Ah... You could also just have upped your previous topic about this. Seems this is not the first time you're experiencing this, so not fixed yet.
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
O wow totally forgot I had this problem some time ago. It seem to have resolved itself then and now to come again. Strange.... I will look into the posts there to see if this is the same.

The CAA record has been added to the hostname to be sure, removing it has no effect so it seems.
(and both specify letsencrypt so it should not matter)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,956
Location
Maastricht
Hmmz... that's odd. Might be some LE issue then. In the past sometimes I also experienced odd issues, which dissapeared 1 or 2 days later. If not, then I hope DA has a solution.
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
Hm strange I tried some commands from my old thread:

1620998658534.png


1620998686135.png


So perhaps it is fixed now after doing this manually once? I guess I see tomorrow....
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,956
Location
Maastricht
Hmmz... strange. Let's hope indeed that it remains good now. I never had to point to the ca.san_config ever.
But if it works....
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
Still getting these emails but hey my certificate is valid from 14 may till 12 august now so perhaps I need to wait till the one it is trying to renew "times-out". Is there a way to see what certificate it is trying to renew? Like a list that is 'active' perhaps there is something wrong there?
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
Perhaps that is somekind of old feature? I now I needed it once but no idea if I can remove it now or not.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,956
Location
Maastricht
I have no clue, I'm getting confused about this. Since our servers were installed around all 3 around september last year.
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
Yeah my server was older then that. I have a new server but copied everything over perhaps I will try to delete the file and see what happens... (but then again I'd first like it to be "stable" before I do that haha)
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
And just for funs: I do still get this from time to time. Usually it fixes itself in a couple of days. But this time it does not seem to be able to fix itself. I now have 2 weeks to figure it out :)

Sometimes the error is:
CAA record prevents issuing the certificate: "letsencrypt.org"
and sometimes:
CAA record prevents issuing the certificate: SERVFAIL

A site like: https://caatest.co.uk/ thinks everything is valid.



1655884966449.png
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
So.... I was running:

Code:
[email protected]:/usr/local/directadmin/scripts# ./letsencrypt.sh renew vps.xx-xx.nl 4096 /usr/local/directadmin/conf/ca.san_config
(as found in my history :p)

And every time: SERVERFAIL

I thought let's add some 'echo' to the script so I can perhaps see what it does. And then after a couple of echos:

1655886054739.png


Yeah so I still don't understand this -_- but at least it is fixed again. Pft.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
8,956
Location
Maastricht
(as found in my history :p)
They fixed something with the hostname certificate as I found an odd issue with it. Took some searching but then they found out and fixed it. I also sometimes had issues with the hostname renewal but now it works good.

You best should not make the command to long. If it happen again, just create a new one like this:
./letsencrypt.sh renew vps.xx-xx.nl 4096
After that, it should renew automatically and the files DA is looking at are copied to the correct place automatically now too.

Not sure where the syntax error is coming from, maybe from the commandline but that should not be in there.
 

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
Thanks, I'll keep an eye on it. I think I had a newer version then that but I can't confirm it as I ran an update yesterday :)
 
Top