Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    SOLVED CAA records seem to be interfering with certificate renewals from Let's Encrypt via Cloudron

    Support
    caa certificates letsencrypt
    3
    6
    54
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • d19dotca
      d19dotca last edited by girish

      I setup CAA records for my domains yesterday, and noticed a bunch of failures this morning in the Cloudron trying to renew the certificates (I guess it tries to look every day?).

      Failed to new certs of d19.ca: Unexpected status: invalid. Renewal will be retried in 12 hours

      As you can see at https://dnschecker.org/#CAA/d19.ca I have the records propagated with a value of 0 issue "letsencrypt.org"

      The above should be correct, no? I'm new to using CAA records but they seem fairly simple, with only a few options available. I also used the CAA generator at https://sslmate.com/caa/ to double-check what it'd suggest and it was the same that I had used.

      Is this an issue with the way I did the CAA records, or is this an issue with Cloudron not liking the CAA record? Is "issue" perhaps supposed to be "issuewildcard"? I'm not using wildcard certs though, I'm using the "wildcard DNS provider", but not wildcard certs.

      --
      Dustin Dauncey
      www.d19.ca

      girish 1 Reply Last reply Reply Quote 0
      • d19dotca
        d19dotca last edited by

        As I wrote that, I wondered if this had to do with the value of the CAA record - specifically the use of double-quotes. I know some providers treat those differently. It matched what was used by the CAA record generator tool, but I wonder if I should have removed the double-quotes. I'm going to try that today and see if that helps at all. But if anyone else has experience with this, I'd appreciate it.

        --
        Dustin Dauncey
        www.d19.ca

        1 Reply Last reply Reply Quote 0
        • girish
          girish Staff @d19dotca last edited by girish

          @d19dotca I have see Unexpected status: invalid happen sporadically because LE has some issue/some deployment is going on. This is normal behavior/failure of LE service. The CAA is just accidental i think.

          The CAA setup itself looks correct. Do you see what error was returned in the cert renewal logs? You can click the renew button again and see the logs.

          d19dotca 1 Reply Last reply Reply Quote 1
          • d19dotca
            d19dotca @girish last edited by

            @girish Hmm, well now I'm confused and wondering what I saw before, haha. Because yes I remember looking at the logs on my phone when I first saw the issue and I swear I saw something about "not allowed" or something to that effect suggesting it was to do with the CAA records I set, and what a coincidence too, but now that I look at the certificate renewal logs I don't see the issue and it's successfully done them in the meantime. However I had also took away the double quotes around the letsencrypt.org part, so who knows maybe that was an issue too. Oh well, it seems to be working now. haha. 🙂

            --
            Dustin Dauncey
            www.d19.ca

            1 Reply Last reply Reply Quote 0
            • jimcavoli
              jimcavoli App Dev last edited by jimcavoli

              Yeah, I've got CAAs on my installations and not seen issues in general, or specifically in the last day either.

              1 Reply Last reply Reply Quote 0
              • d19dotca
                d19dotca last edited by d19dotca

                So I'm pretty convinced the issue was the way I wrote the CAA records. I think my DNS provider didn't need the double-quotes in there and it caused issues. Reason I say that is because after introducing the CAA records, I suddenly had the certificate renewal errors.

                Then when using a DNS check tool and I looked up CAA records for Google and Mozilla and more, none of them had the double-quote in there, but mine did. So I am sure that was the issue, as everything worked fine again after I removed the double-quotes.

                I suspect the double-quotes was being taken literally as a string and so letsencrypt.org is not the same as "letsencrypt.org" in the DNS CAA record. I was able to later find the logs I had seen in the early morning which shows the following which confirms my conclusion: CAA record for <domain> prevents issuance.

                So for anyone who comes across this later, make sure you're not using double-quotes I guess. haha.

                --
                Dustin Dauncey
                www.d19.ca

                1 Reply Last reply Reply Quote 2
                • First post
                  Last post