Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renewal fails if a domain has CAA records, even if they are valid and were working 2 months ago #711

Closed
dmi97 opened this issue May 23, 2024 · 1 comment
Closed

Renewal fails if a domain has CAA records, even if they are valid and were working 2 months ago #711

dmi97 opened this issue May 23, 2024 · 1 comment
Assignees
@shibayan
Labels
bug Something isn't working

Comments

@dmi97
Copy link

dmi97 commented May 23, 2024

Describe the bug
After deploying KeyVault-acmebot in march 2024, wildcard certs were generated without issues, manual renewal was tested and it worked as expected on a couple of domains. Thank you for this amazing tool.

One of the changes I had to make for it to work was to explicitly authorize "letsencrypt.org" in Azure DNS using CAA records because we already had records for sectigo/digicert. Those records haven't been modified since then, certs were manually renewed several times for testing and all was good.

Fast forward to today, and automatic renewal has been failing in all of our domains. Manual renewal also fails if any CAA record exists. Removing all the CAA records and manually renewing fixes the issue. But it should work if the CAA records are valid, at least it worked back in march 2024.

Something has changed between march and may that makes the renewal fail. I couldn't find any major changes in Let's Encrypt that could have caused this.

To Reproduce
Steps to reproduce the behavior:

Configure valid CAA records on a domain in Azure DNS, for example:

0 issue "digicert.com"
0 issue "letsencrypt.org"
0 issue "amazontrust.com"
0 issue "sectigo.com"

Wait for DNS propagation and do a manual renewal. The renewal will fail.

If you remove all CAA records and try again, the renewal will succeed.

Environment (please complete the following information):

  • Certificate Type: Wildcard
  • Certificate Deploy Target: Azure Application Gateway/WAF

Additional context
Error message displayed after attempting manual renewal:

func-****.azurewebsites.net says Orchestrator function: RenewCertificate_Orchestrator Orchestrator function 'RenewCertificate_Orchestrator' failed: The orchestrator function 'IssueCertificate' failed: "The activity function 'CheckIsReady' failed: "ACME validation status is invalid. Required retry at first. LastError = {"type":"urn:ietf:params:acme:error:caa","detail":"CAA record for ****.com prevents issuance","status":403}". See the function execution logs for additional details.". See the function execution logs for additional details.

@dmi97 dmi97 added the bug Something isn't working label May 23, 2024
@shibayan
Copy link
Owner

This error indicates that the ACME Certificate Authority has failed to check the CAA record. Since Acmebot is not involved in CAA records, there is either a problem with the ACME Certificate Authority or with the CAA record.

@shibayan shibayan closed this as not planned Won't fix, can't repro, duplicate, stale May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shibayan shibayan

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shibayan @dmi97