Acme.sh: Verify error:CAA record for *.example.comprevents issuance

Created on 20 May 2018  路  4Comments  路  Source: acmesh-official/acme.sh

I have 2 CAA record example.com | 0 issue "letsencrypt.org" and *.example.com | 0 issue "letsencrypt.org"

[Sun May 20 03:13:38 MSK 2018] Sleep 120 seconds for the txt records to take effect
[Sun May 20 03:15:40 MSK 2018] ok, let's start to verify
[Sun May 20 03:15:40 MSK 2018] example.com is already verified, skip dns-01.
[Sun May 20 03:15:40 MSK 2018] Verifying:*.example.com
[Sun May 20 03:15:40 MSK 2018] d='*.example.com'
[Sun May 20 03:15:40 MSK 2018] keyauthorization='qkRXEgB3w2BH8bU19p-24Tvtdi8_ud74i-vlKu-1c08.QmvrPfTzKa77hK2EeCrN-esI4v5pHEtkmHWhrhyNqsE'
[Sun May 20 03:15:40 MSK 2018] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/wIR-kRoNy_OmNGyDjt1DYqFw_4qkI_w7GZjSOVeRZek/4722343247'
[Sun May 20 03:15:40 MSK 2018] _currentRoot='dns_cf'
[Sun May 20 03:15:40 MSK 2018] url='https://acme-v02.api.letsencrypt.org/acme/challenge/wIR-kRoNy_OmNGyDjt1DYqFw_4qkI_w7GZjSOVeRZak/4722343247'
[Sun May 20 03:15:40 MSK 2018] payload='{"keyAuthorization": "qkRXEgB3w2BH8bU19n-24Tvtdi8_ud74i-vlKu-1c08.QmvrPfTzKa77hK2EeCrN-esI4v5pHEtkmHWhrhyNqsE"}'
[Sun May 20 03:15:40 MSK 2018] POST
[Sun May 20 03:15:40 MSK 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/wIR-kRoNy_OmNGyDjt1DYqFw_4qkI_w7GZjSOVeRZak/4722343247'
[Sun May 20 03:15:40 MSK 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun May 20 03:15:40 MSK 2018] _ret='0'
[Sun May 20 03:15:40 MSK 2018] code='200'
[Sun May 20 03:15:40 MSK 2018] trigger validation code: 200
[Sun May 20 03:15:40 MSK 2018] sleep 2 secs to verify
[Sun May 20 03:15:42 MSK 2018] checking
[Sun May 20 03:15:42 MSK 2018] GET
[Sun May 20 03:15:42 MSK 2018] url='https://acme-v02.api.letsencrypt.org/acme/challenge/wIR-kRoNy_OmNGyDjt1DYqFw_4qkI_w7GZjSOVeRZak/4722343247'
[Sun May 20 03:15:42 MSK 2018] timeout=
[Sun May 20 03:15:42 MSK 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Sun May 20 03:15:42 MSK 2018] ret='0'
[Sun May 20 03:15:42 MSK 2018] *.example.com:Verify error:CAA record for *.example.com prevents issuance
[Sun May 20 03:15:42 MSK 2018] Skip for removelevel:
[Sun May 20 03:15:42 MSK 2018] pid
[Sun May 20 03:15:42 MSK 2018] No need to restore nginx, skip.
[Sun May 20 03:15:42 MSK 2018] _clearupdns
[Sun May 20 03:15:42 MSK 2018] Removing DNS records.
picture extensionsapp

Most helpful comment

I had the same problem.
Adding 0 issuewild "letsencrypt.org" solved it.
However I believe that issuewild record shouldn't be needed for wildcard certificate when there is issue record already.

picture verglor on 1 Jun 2018
👍3

All 4 comments

Just use example.com caa not *.example.com
The apex domain already covers all subdomains
https://letsencrypt.org/docs/caa/

FernandoMiguel picture FernandoMiguel on 20 May 2018

Initially, this record *.example.com was not, the error existed.

extensionsapp picture extensionsapp on 22 May 2018

I had the same problem.
Adding 0 issuewild "letsencrypt.org" solved it.
However I believe that issuewild record shouldn't be needed for wildcard certificate when there is issue record already.

verglor picture verglor on 1 Jun 2018
👍3

You don鈥檛 have an issuewild allowing Let鈥檚 Encrypt to issue wildcard certificates.
You need to add a CAA record allowing Let鈥檚 Encrypt to issue wildcard certificates for your domain name.
eg. CAA record
0 issuewild letsencrypt.org

ghostsf picture ghostsf on 24 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

caruccio picture caruccio  路  5Comments
xiagw picture xiagw  路  3Comments
extensionsapp picture extensionsapp  路  3Comments
feiyu0 picture feiyu0  路  4Comments
mskian picture mskian  路  3Comments