Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. CAA records seem to be interfering with certificate renewals from Let's Encrypt via Cloudron

CAA records seem to be interfering with certificate renewals from Let's Encrypt via Cloudron

Scheduled Pinned Locked Moved Solved Support
caacertificatesletsencrypt
6 Posts 3 Posters 965 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • d19dotcaD Offline
      d19dotcaD Offline
      d19dotca
      wrote on last edited by girish
      #1

      I setup CAA records for my domains yesterday, and noticed a bunch of failures this morning in the Cloudron trying to renew the certificates (I guess it tries to look every day?).

      Failed to new certs of d19.ca: Unexpected status: invalid. Renewal will be retried in 12 hours

      As you can see at https://dnschecker.org/#CAA/d19.ca I have the records propagated with a value of 0 issue "letsencrypt.org"

      The above should be correct, no? I'm new to using CAA records but they seem fairly simple, with only a few options available. I also used the CAA generator at https://sslmate.com/caa/ to double-check what it'd suggest and it was the same that I had used.

      Is this an issue with the way I did the CAA records, or is this an issue with Cloudron not liking the CAA record? Is "issue" perhaps supposed to be "issuewildcard"? I'm not using wildcard certs though, I'm using the "wildcard DNS provider", but not wildcard certs.

      --
      Dustin Dauncey
      www.d19.ca

      girishG 1 Reply Last reply
      0
      • d19dotcaD Offline
        d19dotcaD Offline
        d19dotca
        wrote on last edited by
        #2

        As I wrote that, I wondered if this had to do with the value of the CAA record - specifically the use of double-quotes. I know some providers treat those differently. It matched what was used by the CAA record generator tool, but I wonder if I should have removed the double-quotes. I'm going to try that today and see if that helps at all. But if anyone else has experience with this, I'd appreciate it.

        --
        Dustin Dauncey
        www.d19.ca

        1 Reply Last reply
        0
        • d19dotcaD d19dotca

          I setup CAA records for my domains yesterday, and noticed a bunch of failures this morning in the Cloudron trying to renew the certificates (I guess it tries to look every day?).

          Failed to new certs of d19.ca: Unexpected status: invalid. Renewal will be retried in 12 hours

          As you can see at https://dnschecker.org/#CAA/d19.ca I have the records propagated with a value of 0 issue "letsencrypt.org"

          The above should be correct, no? I'm new to using CAA records but they seem fairly simple, with only a few options available. I also used the CAA generator at https://sslmate.com/caa/ to double-check what it'd suggest and it was the same that I had used.

          Is this an issue with the way I did the CAA records, or is this an issue with Cloudron not liking the CAA record? Is "issue" perhaps supposed to be "issuewildcard"? I'm not using wildcard certs though, I'm using the "wildcard DNS provider", but not wildcard certs.

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by girish
          #3

          @d19dotca I have see Unexpected status: invalid happen sporadically because LE has some issue/some deployment is going on. This is normal behavior/failure of LE service. The CAA is just accidental i think.

          The CAA setup itself looks correct. Do you see what error was returned in the cert renewal logs? You can click the renew button again and see the logs.

          d19dotcaD 1 Reply Last reply
          1
          • girishG girish

            @d19dotca I have see Unexpected status: invalid happen sporadically because LE has some issue/some deployment is going on. This is normal behavior/failure of LE service. The CAA is just accidental i think.

            The CAA setup itself looks correct. Do you see what error was returned in the cert renewal logs? You can click the renew button again and see the logs.

            d19dotcaD Offline
            d19dotcaD Offline
            d19dotca
            wrote on last edited by
            #4

            @girish Hmm, well now I'm confused and wondering what I saw before, haha. Because yes I remember looking at the logs on my phone when I first saw the issue and I swear I saw something about "not allowed" or something to that effect suggesting it was to do with the CAA records I set, and what a coincidence too, but now that I look at the certificate renewal logs I don't see the issue and it's successfully done them in the meantime. However I had also took away the double quotes around the letsencrypt.org part, so who knows maybe that was an issue too. Oh well, it seems to be working now. haha. 🙂

            --
            Dustin Dauncey
            www.d19.ca

            1 Reply Last reply
            0
            • jimcavoliJ Offline
              jimcavoliJ Offline
              jimcavoli
              App Dev
              wrote on last edited by jimcavoli
              #5

              Yeah, I've got CAAs on my installations and not seen issues in general, or specifically in the last day either.

              1 Reply Last reply
              0
              • d19dotcaD Offline
                d19dotcaD Offline
                d19dotca
                wrote on last edited by d19dotca
                #6

                So I'm pretty convinced the issue was the way I wrote the CAA records. I think my DNS provider didn't need the double-quotes in there and it caused issues. Reason I say that is because after introducing the CAA records, I suddenly had the certificate renewal errors.

                Then when using a DNS check tool and I looked up CAA records for Google and Mozilla and more, none of them had the double-quote in there, but mine did. So I am sure that was the issue, as everything worked fine again after I removed the double-quotes.

                I suspect the double-quotes was being taken literally as a string and so letsencrypt.org is not the same as "letsencrypt.org" in the DNS CAA record. I was able to later find the logs I had seen in the early morning which shows the following which confirms my conclusion: CAA record for <domain> prevents issuance.

                So for anyone who comes across this later, make sure you're not using double-quotes I guess. haha.

                --
                Dustin Dauncey
                www.d19.ca

                1 Reply Last reply
                2
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                  • Login

                  • Don't have an account? Register

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Bookmarks
                  • Search