Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAA record issue #34

Closed
crayt90 opened this issue Mar 23, 2022 · 2 comments
Closed

CAA record issue #34

crayt90 opened this issue Mar 23, 2022 · 2 comments

Comments

@crayt90
Copy link

crayt90 commented Mar 23, 2022

Hi,

just setup a LabCA on a freshly installed Ubunta 18.04 and it worked fine up to the point where to generate the certificate for the webservice.

The log says :

ValueError: Challenge did not pass for ca.internal.homenet.de: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://ca.internal.homenet.de/.well-known/acme-challenge/4uoTxHvh0rm1ScFdDHTNmtyB8YHQDoH87F15YWn45mY', u'hostname': u'ca.internal.homenet.de', u'addressUsed': u'10.10.10.68', u'port': u'80', u'addressesResolved': [u'10.10.10.68']}], u'url': u'https://ca.internal.homenet.de/acme/chall-v3/2/q3SK2g', u'token': u'4uoTxHvh0rm1ScFdDHTNmtyB8YHQDoH87F15YWn45mY', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:caa', u'detail': u'CAA record for ca.internal.homenet.de prevents issuance'}, u'validated': u'2022-03-23T15:03:06Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'ca.internal.homenet.de'}, u'expires': u'2022-03-30T15:03:06Z'}

So back to the documentation and ....... I learned that I need a CAA record in my DNS.
Fine, so I created this record and according to my "dig" command it displays just fine :

root@ca:/var/www/html/.well-known/acme-challenge# dig CAA internal.homenet.de

; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> CAA internal.homenet.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48517
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;internal.homenet.de. IN CAA

;; ANSWER SECTION:
internal.homenet.de. 0 IN CAA 0 issue "ca.internal.homenet.de"

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Mar 23 16:17:59 UTC 2022
;; MSG SIZE rcvd: 89

But the issue still persists and I'm a bit lost on how to proceed.

Any help would be greatly appreciated and any logs needed can be uploaded.
Just let me know what further information you need.

Best regards and thanks in advance for anyone willing to help me here.

crayt90
@hakwerk
Copy link
Owner

hakwerk commented Mar 23, 2022

I'm pretty sure that the value of the CAA record should be the domain, not the hostname:
internal.homenet.de. 0 IN CAA 0 issue "internal.homenet.de"

In fact, it should be the value of the "issuerDomain" from file /home/labca/boulder_labca/config/va.json

@crayt90
Copy link
Author

crayt90 commented Mar 24, 2022

Thanks, that helped a lot.
Having corrected this and it works now.

@crayt90 crayt90 closed this as completed Mar 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crayt90 @hakwerk