search

shibayan / keyvault-acmebot

Automated ACME SSL/TLS certificates issuer for Azure Key Vault (App Service / Container Apps / App Gateway / Front Door / CDN / others)
Apache License 2.0
891 stars 233 forks source link

Renewal fails if a domain has CAA records, even if they are valid and were working 2 months ago #711

Closed dmi97 closed 3 months ago

dmi97 commented 3 months ago

Describe the bug After deploying KeyVault-acmebot in march 2024, wildcard certs were generated without issues, manual renewal was tested and it worked as expected on a couple of domains. Thank you for this amazing tool.

One of the changes I had to make for it to work was to explicitly authorize "letsencrypt.org" in Azure DNS using CAA records because we already had records for sectigo/digicert. Those records haven't been modified since then, certs were manually renewed several times for testing and all was good.

Fast forward to today, and automatic renewal has been failing in all of our domains. Manual renewal also fails if any CAA record exists. Removing all the CAA records and manually renewing fixes the issue. But it should work if the CAA records are valid, at least it worked back in march 2024.

Something has changed between march and may that makes the renewal fail. I couldn't find any major changes in Let's Encrypt that could have caused this.

To Reproduce Steps to reproduce the behavior:

Configure valid CAA records on a domain in Azure DNS, for example:

0 issue "digicert.com" 0 issue "letsencrypt.org" 0 issue "amazontrust.com" 0 issue "sectigo.com"

Wait for DNS propagation and do a manual renewal. The renewal will fail.

If you remove all CAA records and try again, the renewal will succeed.

Environment (please complete the following information):

Additional context Error message displayed after attempting manual renewal:

func-****.azurewebsites.net says Orchestrator function: RenewCertificate_Orchestrator Orchestrator function 'RenewCertificate_Orchestrator' failed: The orchestrator function 'IssueCertificate' failed: "The activity function 'CheckIsReady' failed: "ACME validation status is invalid. Required retry at first. LastError = {"type":"urn:ietf:params:acme:error:caa","detail":"CAA record for ****.com prevents issuance","status":403}". See the function execution logs for additional details.". See the function execution logs for additional details.

shibayan commented 3 months ago

This error indicates that the ACME Certificate Authority has failed to check the CAA record. Since Acmebot is not involved in CAA records, there is either a problem with the ACME Certificate Authority or with the CAA record.