SOLVED Let's Encrypt Issue
-
Oddity just cropped up on getting a new app running:
Jan 24 08:13:12 box:cert/acme2 waitForChallenge: status is "invalid" {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: networking error looking up CAA for <mydnshere>","status":400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/10323824999/c7R7Lw","token":"HLUAkRme8XYGPy70DjD654Tai58ovS7T-2SfmekUA3U","validationRecord":[{"url":"http://<mydnshere>/.well-known/acme-challenge/HLUAkRme8XYGPy70DjD654Tai58ovS7T-2SfmekUA3U","hostname":"<mydnshere>","port":"80","addressesResolved":["myip"],"addressUsed":"myip"}]}
The above <mydns> and <myip> are correct. I do have an empty surfer instance running in the root of the domain. This wasn't an issue yesterday but just started up today.
-
@doodlemania2 according to https://letsencrypt.org/docs/caa/#caa-errors first lets see if this is permanent or not. Then also check if you have setup any CAA rules to maybe prohibit issuing certificates by LetsEncrypt
-
@nebulon It cleared after about 30 minutes (strange). Will look at the CAA thing.
Oddity for me -> I'm set up to use wildcard as my DNS. I was thinking that would leverage a wildcard let's encrypt cert. No? -
That error message would seem to indicate that it failed on DNS lookup trying to pull the CAA to verify it - unusual for DNS to fail that way, but stranger things have happened.
-
@doodlemania2 said in Let's Encrypt Issue:
Oddity for me -> I'm set up to use wildcard as my DNS. I was thinking that would leverage a wildcard let's encrypt cert. No?
Other way around! Wildcard DNS will lead to non-wildcard certs (and vice versa - programmatic DNS means you can get wildcard certs).
Also, the DNS error is reported by the Let's encrypt servers and not by Cloudron. If this is a new domain or you changed the NS recently, these errors are normal.
-
@girish no changes - will monitor to see if it crops back up.
