Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

CAA records seem to be interfering with certificate renewals from Let's Encrypt via Cloudron

Scheduled Pinned Locked Moved Solved Support
caacertificatesletsencrypt
6 Posts 3 Posters 235 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • d19dotcaD Offline
    d19dotcaD Offline
    d19dotca
    wrote on last edited by girish
    #1

    I setup CAA records for my domains yesterday, and noticed a bunch of failures this morning in the Cloudron trying to renew the certificates (I guess it tries to look every day?).

    Failed to new certs of d19.ca: Unexpected status: invalid. Renewal will be retried in 12 hours

    As you can see at https://dnschecker.org/#CAA/d19.ca I have the records propagated with a value of 0 issue "letsencrypt.org"

    The above should be correct, no? I'm new to using CAA records but they seem fairly simple, with only a few options available. I also used the CAA generator at https://sslmate.com/caa/ to double-check what it'd suggest and it was the same that I had used.

    Is this an issue with the way I did the CAA records, or is this an issue with Cloudron not liking the CAA record? Is "issue" perhaps supposed to be "issuewildcard"? I'm not using wildcard certs though, I'm using the "wildcard DNS provider", but not wildcard certs.

    --
    Dustin Dauncey
    www.d19.ca

    girishG 1 Reply Last reply
    0
  • d19dotcaD Offline
    d19dotcaD Offline
    d19dotca
    wrote on last edited by
    #2

    As I wrote that, I wondered if this had to do with the value of the CAA record - specifically the use of double-quotes. I know some providers treat those differently. It matched what was used by the CAA record generator tool, but I wonder if I should have removed the double-quotes. I'm going to try that today and see if that helps at all. But if anyone else has experience with this, I'd appreciate it.

    --
    Dustin Dauncey
    www.d19.ca

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to d19dotca on last edited by girish
    #3

    @d19dotca I have see Unexpected status: invalid happen sporadically because LE has some issue/some deployment is going on. This is normal behavior/failure of LE service. The CAA is just accidental i think.

    The CAA setup itself looks correct. Do you see what error was returned in the cert renewal logs? You can click the renew button again and see the logs.

    d19dotcaD 1 Reply Last reply
    1
  • d19dotcaD Offline
    d19dotcaD Offline
    d19dotca
    replied to girish on last edited by
    #4

    @girish Hmm, well now I'm confused and wondering what I saw before, haha. Because yes I remember looking at the logs on my phone when I first saw the issue and I swear I saw something about "not allowed" or something to that effect suggesting it was to do with the CAA records I set, and what a coincidence too, but now that I look at the certificate renewal logs I don't see the issue and it's successfully done them in the meantime. However I had also took away the double quotes around the letsencrypt.org part, so who knows maybe that was an issue too. Oh well, it seems to be working now. haha. 🙂

    --
    Dustin Dauncey
    www.d19.ca

    1 Reply Last reply
    0
  • jimcavoliJ Offline
    jimcavoliJ Offline
    jimcavoli App Dev
    wrote on last edited by jimcavoli
    #5

    Yeah, I've got CAAs on my installations and not seen issues in general, or specifically in the last day either.

    1 Reply Last reply
    0
  • d19dotcaD Offline
    d19dotcaD Offline
    d19dotca
    wrote on last edited by d19dotca
    #6

    So I'm pretty convinced the issue was the way I wrote the CAA records. I think my DNS provider didn't need the double-quotes in there and it caused issues. Reason I say that is because after introducing the CAA records, I suddenly had the certificate renewal errors.

    Then when using a DNS check tool and I looked up CAA records for Google and Mozilla and more, none of them had the double-quote in there, but mine did. So I am sure that was the issue, as everything worked fine again after I removed the double-quotes.

    I suspect the double-quotes was being taken literally as a string and so letsencrypt.org is not the same as "letsencrypt.org" in the DNS CAA record. I was able to later find the logs I had seen in the early morning which shows the following which confirms my conclusion: CAA record for <domain> prevents issuance.

    So for anyone who comes across this later, make sure you're not using double-quotes I guess. haha.

    --
    Dustin Dauncey
    www.d19.ca

    1 Reply Last reply
    2

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.