LetsEncrypt issues

[Doridian]

Recently I encountered an issue with DA's LetsEncrypt module.
Turns out when a domain has multiple CAA records, DA's check only checks the first one and then bails if that isn't correct.

See the following situation:

root@directadmin:~#  /usr/local/directadmin/scripts/letsencrypt.sh request DOMAIN.com
CAA record prevents issuing the certificate: "comodoca.com"

And when I check the DNS:

$ dig IN CAA DOMAIN.com @8.8.8.8

; <<>> DiG 9.16.1-Ubuntu <<>> IN CAA DOMAIN.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15567
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;DOMAIN.com.                        IN      CAA

;; ANSWER SECTION:
DOMAIN.com.         3189    IN      CAA     0 issue "comodoca.com"
DOMAIN.com.         3189    IN      CAA     0 issue "digicert.com"
DOMAIN.com.         3189    IN      CAA     0 issue "letsencrypt.org"
DOMAIN.com.         3189    IN      CAA     0 issuewild "comodoca.com"
DOMAIN.com.         3189    IN      CAA     0 issuewild "digicert.com"
DOMAIN.com.         3189    IN      CAA     0 issuewild "letsencrypt.org"

Sadly, I cannot get rid of those other CAA records, as my DNS provider is CloudFlare for this domain and they enforce them being there.
This seems like a bug in DirectAdmin, as per specification, multiple CAA records are a valid configuration.

 

[factor]

You need to use Lego.

SSLs and Let's Encrypt For Domains | Directadmin Docs

 

[Doridian]

You need to use Lego.

SSLs and Let's Encrypt For Domains | Directadmin Docs

I ran the commands outlined there and am still getting the same error.
However, it seems this mostly affects wildcards? I do not want to issue wildcards, only specific domain/subdomain certificates.

 

[factor]

There is more than commands to run. did you do all of the cloudflare config?

I think there is Known issue with Wild cards. you might find it if you search the forum.

 

[Doridian]

There is more than commands to run. did you do all of the cloudflare config?

I think there is Known issue with Wild cards. you might find it if you search the forum.

Again, I am not trying to issue wildcards at all.
The issue is simply that the DirectAdmin LE script doesn't "see" the CAA records that clearly exist.

${DIG} CAA ${i} @${DNS_SERVER} +short | grep -m1 -q -F -- "letsencrypt.org"

This line in letsencrypt.sh seems to be the issue, it only greps out the FIRST response from dig, which is comodoca.com, but LE is within the replies, just not the first response.

//EDIT: As a matter of fact, I commented out the call to caa_check in that script and now DA has successfully issued a cert for the problem domain.

 

[factor]

You should open a ticket and report it as a bug then.