CAA records seem to be interfering with certificate renewals from Let's Encrypt via Cloudron

d19dotca

I setup CAA records for my domains yesterday, and noticed a bunch of failures this morning in the Cloudron trying to renew the certificates (I guess it tries to look every day?).

Failed to new certs of d19.ca: Unexpected status: invalid. Renewal will be retried in 12 hours

As you can see at https://dnschecker.org/#CAA/d19.ca I have the records propagated with a value of 0 issue "letsencrypt.org"

The above should be correct, no? I'm new to using CAA records but they seem fairly simple, with only a few options available. I also used the CAA generator at https://sslmate.com/caa/ to double-check what it'd suggest and it was the same that I had used.

Is this an issue with the way I did the CAA records, or is this an issue with Cloudron not liking the CAA record? Is "issue" perhaps supposed to be "issuewildcard"? I'm not using wildcard certs though, I'm using the "wildcard DNS provider", but not wildcard certs.

d19dotca

As I wrote that, I wondered if this had to do with the value of the CAA record - specifically the use of double-quotes. I know some providers treat those differently. It matched what was used by the CAA record generator tool, but I wonder if I should have removed the double-quotes. I'm going to try that today and see if that helps at all. But if anyone else has experience with this, I'd appreciate it.

girish

@d19dotca I have see Unexpected status: invalid happen sporadically because LE has some issue/some deployment is going on. This is normal behavior/failure of LE service. The CAA is just accidental i think.

The CAA setup itself looks correct. Do you see what error was returned in the cert renewal logs? You can click the renew button again and see the logs.

d19dotca

@girish Hmm, well now I'm confused and wondering what I saw before, haha. Because yes I remember looking at the logs on my phone when I first saw the issue and I swear I saw something about "not allowed" or something to that effect suggesting it was to do with the CAA records I set, and what a coincidence too, but now that I look at the certificate renewal logs I don't see the issue and it's successfully done them in the meantime. However I had also took away the double quotes around the letsencrypt.org part, so who knows maybe that was an issue too. Oh well, it seems to be working now. haha.

jimcavoli

Yeah, I've got CAAs on my installations and not seen issues in general, or specifically in the last day either.

d19dotca

So I'm pretty convinced the issue was the way I wrote the CAA records. I think my DNS provider didn't need the double-quotes in there and it caused issues. Reason I say that is because after introducing the CAA records, I suddenly had the certificate renewal errors.

Then when using a DNS check tool and I looked up CAA records for Google and Mozilla and more, none of them had the double-quote in there, but mine did. So I am sure that was the issue, as everything worked fine again after I removed the double-quotes.

I suspect the double-quotes was being taken literally as a string and so letsencrypt.org is not the same as "letsencrypt.org" in the DNS CAA record. I was able to later find the logs I had seen in the early morning which shows the following which confirms my conclusion: CAA record for <domain> prevents issuance.

So for anyone who comes across this later, make sure you're not using double-quotes I guess. haha.