Let's Encrypt -- "DNS ... query timed out looking up CAA for ..."

ssl ssl-certificate redirect lets-encrypt
5,911

Let's Encrypt doesn't keep track of previous redirects. You can either use the HTTP or HTTPs version for validation.

Your error highlights a different problem

DNS problem: query timed out looking up CAA for [somedomain.com]

The validation system was not able to complete a DNS lookup of the domain. It may be possible that the DNS provider you are using had some problem, or that the route between Let's Encrypt servers and your server had some network issue.

This is a similar problem, described on the official LE community forum.

I think the problem is on the DN look-up step. There is no CAA record. Somehow it took very long time for domain name server to respond. Here are some results Osiris sent to me. He mentioned that getting ip is fast, but 'one but last step is often quite slow'. Slowness could be the reason for failing at CAA checking step.

and

Based on the original error and those times, it's very likely there are some problems with the DNS servers you're using or the route to them from Let's Encrypt's data center, and it's causing timeouts.

Investigate your DNS settings, and if the lookup is successful retry to submit the certificate request after some time.

Share:
5,911

Related videos on Youtube

Michael
Author by

Michael

Updated on September 18, 2022

Comments

  • Michael
    Michael over 1 year

    I have been using Let's Encrypt on a few domains for a couple of months now, and it generally has been working. I was going through renewing the certs, and for one of the domains I get the following error message (in the returned JSON object at challenges[1].error.detail):

    DNS problem: query timed out looking up CAA for [somedomain.com]

    I tried looking up the error, but even Google found zero results (as of this writing). For the naysayers: Yes, this domain (exactly as shown in the error message) is valid and fully accessible and pingable from afar.

    There is an important predicament (clue) here, however, as to why this condition has sprung up. I had the settings for this domain set to redirect all traffic to HTTPS when I first tried renewing this particular domain. It seems that LE tried accessing the server at the HTTPS and failed. Since then I have changed the server settings so that the domain is not redirected to HTTPS for the acme-challenge folder. The problem seems to be that LE is remembering that a previous request was redirected, and now it does not want to access the HTTP URL instead. The challenges[1].validationRecord has two entries, one at [0] for HTTP and one at [1] for HTTPS, so clearly LE is aware that the server can be accessed at the HTTP address as well. Moreover, I can access the validation check file (on the domain in question) at the URL as given in challenges[1].validationRecord[0].url just fine without any issues.

    My question is: How do I make LE forget that I tried requesting a cert while having the server set to redirect all traffic to HTTPS? Hence, how do I make LE use the HTTP URL instead?

  • Michael
    Michael over 8 years
    The domain in question does not have a CAA record, nor do the other domains for which I updated the certs at this time. Perhaps there was a problem with the DNS server at that time. If the error happens again next time I try updating the cert, I can check the DNS server for that domain. If this really is a generic DNS failure, the error message really should not mention CAA since that implies the use of CAA, when I am pretty sure most domains have none. Moreover, I ended up getting the cert renewed by putting an old (still valid) certificate on it -- implying that LE was requiring HTTPS.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Certbot - Could not find a suitable TLS CA certificate bundle [Archlinux]
apache2 won't start after ssl configuration
SSL certificates for domain without www
Error installing LetsEncrypt SSL: (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain
How to fix issues with LetsEncrypt certificate chains on Windows Server?
Verify return code: 21 (unable to verify the first certificate) Lets encrypt Apache to Nginx with crontab issue
Let's Encrypt SSL Certificate File Not Found Error, but still working
Generate CRT & KEY ssl files from Let's Encrypt from scratch
Letsencrypt add domain to existing certificate
Change base domain name for Lets Encrypt SSL certificate