Certbot dry-run gave CAA issues with dedyn.io

un99known99 · October 24, 2023, 3:27pm

Hi,

I setup the records:

CAA 128 issuewild “letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/11111111111”

But test gave back:

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mydomain.dedyn.io.conf

Simulating renewal of an existing certificate for *.mydomain.dedyn.io and mydomain.dedyn.io
Waiting 80 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
Domain: mydomain.dedyn.io
Type: caa
Detail: CAA record for mydomain.dedyn.io prevents issuance

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 80 seconds).

Failed to renew certificate mydomain.dedyn.io with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/mydomain.dedyn.io/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Maybe
certbot_dns_desec.dns_desec:Authenticator prevents something?

Without CAA entry renewal dryrun runs OK
CAA 128 issuewild “letsencrypt.org;validationmethods=dns-01” is fine as well

Any help/hint welcome.

BR,
Mike

peter · October 24, 2023, 5:04pm

The question seems to be about the content of the CAA record, not about the DNS hosting service.

Stay secure,
Peter

un99known99 · October 24, 2023, 5:19pm

The format is ok, see here:

Examples

A simple CAA record which allows Let’s Encrypt to issue for “example.org” might look like this:

example.org         CAA 0 issue "letsencrypt.org"

A more complex CAA record set might look like this:

example.org         CAA 0 issue "myca.org;validationmethods=dns-01"
example.org         CAA 0 issuewild "myca.org"
example.org         CAA 128 issue "otherca.com;accounturi=https://otherca.com/acct/123456"

Seems to be more a desec.io problem …

un99known99 · October 24, 2023, 5:49pm

1070 “identifier”: {
1071 “type”: “dns”,
1072 “value”: “example.dedyn.io”
1073 },
1074 “status”: “invalid”,
1075 “expires”: “2023-10-31T15:17:15Z”,
1076 “challenges”: [
1077 {
1078 “type”: “dns-01”,
1079 “status”: “invalid”,
1080 “error”: {
1081 “type”: “urn:ietf:params:acme:error:caa”,
1082 “detail”: “CAA record for example.dedyn.io prevents issuance”,
1083 “status”: 403
1084 },
1085 “url”: "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/90333833904/IllmaA ",
1086 “token”: “8Ky0mcFttrB0_HyNvsdfsdfdsfBhTlqp618mG05_qeJXK6PI”,
1087 “validationRecord”: [
1088 {
1089 “hostname”: “example.dedyn.io”
1090 }
1091 ],
1092 “validated”: “2023-10-24T15:18:38Z”
1093 }
1094 ],
1095 “wildcard”: true

1082 “detail”: “CAA record for example.dedyn.io prevents issuance”

peter · October 24, 2023, 10:08pm

If that is so: When you query the record using a tool like dig, what do you see and what did you expect?

Stay secure,
Peter

un99known99 · October 25, 2023, 5:52am

my working setup is

dig:

;; ANSWER SECTION:
example.dedyn.io. 30 IN CAA 128 issuewild “letsencrypt.org;validationmethods=dns-01”

certbot --dry-run showing no issues

whereas

CAA 128 issuewild “letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/11111111111”
showing up correcty with dig but certbot gives the mentioned errors

un99known99 · October 25, 2023, 7:45am

what I see via dig is ok, at least the dry-run test fails

peter · October 25, 2023, 7:54am

If it shows up correctly with dig, why do you think it is a deSEC issue?

If the DNS response is what you expect, then it’s unlikely to be a DNS issue. I’d suggest to consult the Let’s Encrypt community (as the error message is telling you). Have you tried that.

Stay secure,
Peter

un99known99 · October 25, 2023, 7:58am

Thx for the quick response, yep, I have an issue open at LE, one point was, that --dry-run points to the stage system and therefore the accouturi is not working, I will double-check, either force a cert renew or wait till beginning of nov as my cert is due for renewal …

un99known99 · October 25, 2023, 8:12am

solved - a foreced renew on PROD environment works, seems the issue was the stage system