Let’s Encrypt ACME CAA Limitation

Not all the domain name are supported by Let’s Encrypt ACME

Photo by Markus Winkler from Unsplash

In my previous blog about setting up Kubernetes with MicroK8s and Traefik, I used DDNS service from noip.com to create a domain name microk8s.ddns.net for testing with whoami application which was working without any problem.

But when I tried to switch to my other domain which is a DDNS service from my internet provider, the certificate cannot be issues with the error query timed out looking up CAA.

This blog is to get to know more about ACME and CAA.

Introduction

To host a website or web application securely, you may want to serve it over HTTPS (HTTP over SSL, or should be over TLS now) only and disable HTTP or, better, to always redirect it to HTTPS.

To make HTTPS works properly, you need a certificate to prove your web’s identity with your clients that you’re really from the domain you serve, not from a middleman who try to see your transferred data. Of course, the self-signed certificate won’t do the job.

To validate the certificate that it is belong to whom it claims to, the certificate must be issued by a trusted certificate authorities (CA). Every web browsers or OSs maintain the list of trusted CAs so the validation works and cross-checked.

Let’s Encrypt is a trusted CA that provide automated ways to issue certificate for your application for free using Automatic Certificate Management Environment (ACME) protocol. Learn more about how Let’s Encrypt and ACME protocol work in this documentation page.

For servers or VMs, you can use certbot to do this job. For Kubernetes clusters, you have cert-manager and Traefik that can do this job.

Traefik Error Log

Let’s get back to my situation. When I tried to setup a new IngressRoute with certificate resolver for my whoami application for a specific domain, I got these errors in the Traefik’s log:

Unable to obtain ACME certificate for domains "this.isnotwork.com": unable to generate a certificate for the domains [this.isnotwork.com]: error: one or more domains had a problem:
[this.isnotwork.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for this.isnotwork.com

After several of the same errors, it showed this error as the last one.

Unable to obtain ACME certificate for domains "this.isnotwork.com": unable to generate a certificate for the domains [this.isnotwork.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

*For security reason, the domain is substituted.

I searched with the error message and found this post explaining concisely about CAA error.

In Let’s Encrypt documentation page, it also explain about CAA.

Certificate Authority Authorization (CAA)

In short, Let’s Encrypt (or any CA) should query for a CAA record from the DNS server to determine if it is authorized to issue a certificate for that specific domain. This is to prevent mis-issue certificates that could potentially affect every domain names.

Verify CAA

You can verify if your domain name is compatible with Let’s Encrypt ACME by using https://unboundtest.com/ which simulate like what Let’s Encrypt will perform when it’s trying to issue a certificate.

You will get i/o timeout for the domain that does not provide CAA query and hence won’t work with Let’s Encrypt.

Here is an example for one that provide CAA query and will work with Let’s Encrypt.

Solution

Contact your DNS service provider whether they can add CAA record for you or otherwise change the service provider. Most of DNS service providers should support CAA record out of the box. You may check out this list from Traefik documentation page.

Azure DNS

Here, I have tried to add a new A record under my Azure DNS zone and CAA query works fine.

Azure DNS A Record — screen captured by the author

Here is Unboundtest log:

Then tried to add a CAA record to explicitly authorize letsencrypt.org to issue certificate for this specific domain.

Azure DNS CAA record — screen captured by the author

Here is Unboundtest log:

CNAME Record

The other question still persists. Can I use CNAME record for my domain name?

If your home’s public IP is dynamic so you cannot use A record as the IP keeps changing but you want to use CNAME record to map your domain name (the pretty domain that you bought) to your DDNS domain name (the uglier domain that provided by DDNS service provider e.g. noip.com).

The short answer is NO. It seems ACME protocol will resolve IP address for your domain from A (for IPv4) or AAAA (for IPv6) record only. In addition, as I tried, if you create a CNAME record, you cannot create CAA record and vice versa.

I’m still looking for solution for this scenario. One option is to use dnschallenge resolver but I’m not sure if it will work with CNAME or otherwise I need to develop a script run by a regular job to manually update DNS record.

Will share later. Cheers!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store