|
Quoting on 'Certificate Authority Authorization (CAA) - Let's Encrypt (letsencrypt.org)':
- 'Since Let’s Encrypt checks CAA records before every certificate we issue, sometimes we get errors even for domains that haven’t set any CAA records. When we get an error, there’s no way to tell whether we are allowed to issue for the affected domain, since there could be CAA records present that forbid issuance but are not visible because of the error.'
During ACME certification request/renewal verification, ACME validates the CAA record status of the public FQDN trying for the certificate by running CAA lookups on the public FQDN.
Per this CAA lookup the result on the public FQDN should be:
id 26143, opcode QUERY, rcode NOERROR, flags QR RD RA
;QUESTION
If the result is received as following:
id 10766, opcode QUERY, rcode SERVFAIL, flags QR RD RA
;QUESTION
On the ACME logs on FortiGate, it is possible to find the following error:
DNSSEC: Bogus, problem: urn:ietf:params:acme:error:dns
More info regarding CAA records according to Let’s Encrypt (Certificate Authority Authorization (CAA) - Let's Encrypt (letsencrypt.org).
- What is a CAA record: 'CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names'.
- Usage: 'If you would like to use CAA to restrict which Certificate Authorities are allowed to issue certificates for your domain, you will need to use a DNS provider that supports setting CAA records'.
Contact the DNS solution provider to further troubleshoot the DNSSEC setup, specifically to ensure that it returns at least 'noerror' for unknown query types if CAA records are not supported.
|
