LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

How To Fix A CertBot CAA Error Blaming Your Nameservers

This post discusses how to resolve a possible Certbot error. Certbot can fail to install a Let’s Encrypt certificate when the certificate is requested for a subdomain in situations where a DNS Certification Authority Authorization (CAA) Record has not been set.

Here is the context in which I recently encountered this error. Previously I posted A Beginner’s Quick Glance At Two Of Udemy’s Free Courses! Then, in Updating A Free Udemy Bootstrap Course On Oracle Cloud Free Tier, I tried updating the Udemy Bootstrap course’s LAMP stack and Bootstrap theme by installing current versions on an Ubuntu instance at Oracle Cloud Free Tier.

As mentioned in the Updating post, two issues arose during the update. First, because of a CAA record error, the CertBot powered Let’s Encrypt certificate issuance did not succeed. Second, setting the MySQL password failed. With help from my wonderful domain registrar, Porkbun, the certificate error has been resolved. This post is about the CertBot CAA record error and its resolution. The MySQL password error will be discussed in an upcoming post.

Error Details From The Install Transcript

The certificate error occurs on line 997 of the transcript mentioned in the Updating post. Here is part of the transcript beginning at line 989 and including the text of the error:

989 Which names would you like to activate HTTPS for?
990 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
991 1: bcas.metalvps.com
992 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
993 Select the appropriate numbers separated by commas and/or spaces, or leave input
994 blank to select all options shown (Enter 'c' to cancel): 1
995 Requesting a certificate for bcas.metalvps.com
996
997 Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
998 Domain: bcas.metalvps.com
999 Type: dns
1000 Detail: DNS problem: SERVFAIL looking up CAA for metalvps.com - the domain's nameservers may be malfunctioning
1001
1002 Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
1003
1004 Some challenges have failed.
1005 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Please note, as shown in line 991, that I was trying to obtain a Let’s Encrypt certificate for the subdomain bcas.metalvps.com. If we look at the error text in line 1000, it says “the domain’s nameservers may be malfunctioning.” If we look at the full log we can see that I went on to use the host and dig commands to verify that Porkbun’s nameservers indeed were functioning correctly.

What did I miss?

What I completely missed was that I never had installed any CAA record for MetalVPS.com. While it looked from “the domain’s nameservers may be malfunctioning” that Porkbun’s servers somehow were causing the error, it’s obvious that Porkbun’s servers can’t serve a CAA record if there isn’t one!

Why wasn’t there a CAA record? I apparently never needed one before! Also, I hadn’t seen any instructions or tutorials which told me I needed a CAA record. RFC 8659 says in section 1 that “CAA records MAY be used by Certificate Evaluators as a possible indicator of a security policy violation.” It looks like CAA records might be to some extent optional.

Also, I do not recall any of the instructions and tutorials I have read about Certbot or Let’s Encrypt saying that CAA records were necessary for Certbot to work. Previously, all my uses of Certbot successfully obtained certificates.

I emailed the install transcript plus host and dig output to Porkbun support. Porkbun got it right away, and even very kindly set the CAA record for me. They asked me to try Certbot again, and Certbot worked after the CAA record was installed.

Here’s what the CAA record looks like:

bash:~$ dig metalvps.com caa

; <> DiG 9.11.5-P4-5.1+deb10u7-Debian <> metalvps.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8650
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;metalvps.com. IN CAA

;; ANSWER SECTION:
metalvps.com. 600 IN CAA 0 issue “letsencrypt.org”

;; Query time: 110 msec
;; SERVER: 100.115.92.193#53(100.115.92.193)
;; WHEN: Thu Jun 23 22:03:18 MST 2022
;; MSG SIZE rcvd: 75

bash:~$

That’s it. 0 issue “letsencrypt.org” is all that was needed.

Here’s what Chrome browser said about the certificate:

Chrome shows certificate as valid

Donate To The Electronic Frontier Foundtion

Support EFF’s Work on Certbot

“EFF is a U.S. 501(c)(3) nonprofit, tax ID #04-3091431.”

Donate To Let’s Encrypt

Donate

“Internet Security Research Group is the 501(c)(3) public benefit organization behind Let’s Encrypt. Our EIN is: 46-3344200.”



Not_Oles

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *