Created on 08-01-2023 10:58 PM Edited on 08-01-2023 10:59 PM By Jean-Philippe_P
Description |
This article describes that FortiGate is receiving 'DNSSEC: Bogus, problem: urn:ietf:params:acme:error:dns' when attempting to provision an ACME certificate. |
Scope | Provisioning of ACME Certificates using FortiGate. |
Solution |
Quoting on 'Certificate Authority Authorization (CAA) - Let's Encrypt (letsencrypt.org)':
During ACME certification request/renewal verification, ACME validates the CAA record status of the public FQDN trying for the certificate by running CAA lookups on the public FQDN.
Per this CAA lookup the result on the public FQDN should be:
id 26143, opcode QUERY, rcode NOERROR, flags QR RD RA
If the result is received as following:
id 10766, opcode QUERY, rcode SERVFAIL, flags QR RD RA
On the ACME logs on FortiGate, it is possible to find the following error:
DNSSEC: Bogus, problem: urn:ietf:params:acme:error:dns
More info regarding CAA records according to Let’s Encrypt (Certificate Authority Authorization (CAA) - Let's Encrypt (letsencrypt.org).
Contact the DNS solution provider to further troubleshoot the DNSSEC setup, specifically to ensure that it returns at least 'noerror' for unknown query types if CAA records are not supported. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.