2

While running certbot, the following message appears:

query timed out looking up CAA for mydomain.com

It appears that boulder is trying to query my DNS with a CAA record.

However, my ISP's DNS does not support CAA, and the following command times out:

$ dig mydomain.com @ns1.my-isp.com CAA
...
;; connection timed out; no servers could be reached

Same for:

$ dig mydomain.com @ns1.my-isp.com -t TYPE257
...
;; connection timed out; no servers could be reached

(Just to be clear: It does not return an empty answer or no answer. dig times out waiting for an answer.)

A regular (A, TXT, CNAME...) query on the same DNS runs correctly:

$ dig mydomain.com @ns1.my-isp.com A
(runs OK!)

I have contacted my ISP, and they have no means to fix this problem in the foreseeable future.

Because of some business related reasons, moving to a different hosting provider or switching DNS servers is currently impossible.

Can I still use letsencrypt?

Udi
  • 135
  • 6
  • Have you read https://github.com/certbot/certbot/issues/1610 ? – Lenniey May 11 '17 at 07:03
  • Yes, I did. It does not answer my problem. – Udi May 11 '17 at 07:09
  • 1
    I don't know the answer to your question with certbot, but bear in mind that certbot is just one of many ACME clients that work with LetsEncrypt – Steve365 May 11 '17 at 07:24
  • True. Personally I use https://github.com/srvrco/getssl, it gave me the least hassle. – Lenniey May 11 '17 at 07:42
  • It is not a client (certbot) problem. It is a server (boulder) problem. – Udi May 11 '17 at 08:08
  • @Udi I run into the same issue today, did you solve the problem? – user2875289 Sep 02 '18 at 16:32
  • 1
    @user2875289: I have found a workaround. We have added NS records for this specific host that points to Google's Cloud DNS service and added a CAA record over there. – Udi Sep 02 '18 at 20:32
  • @Udi I also used Google Cloud DNS to do some experiments yesterday and it turned out well. But the problem now is my client holds a domain name `example.com`, and also the `DNS Name Server`. He has an `A record` `dog.example.com` point to my server. I couldn't use `certbot` due to their DNS lack of CAA. They cannot add NS records point to my Google Cloud DNS because they want to manage DNS Name server themselves. And AFAIK Google Cloud DNS need full domain name `example.com` instead just subdomain `dog.example.com`. Any thoughts? Thanks! – user2875289 Sep 03 '18 at 02:58
  • 1
    @user2875289: To make this work you would need to add an NS record for either `dog.example.com` or `example.com`. – Udi Sep 03 '18 at 06:25
  • @Udi Unfortunately, my client didn't have the privilege(or didn't know how) to make change to the DNS record. So he ended up paying a CA who send an engineer to help them get SSL certificate from that CA. Sorry for wasting your time. Thanks you. – user2875289 Sep 05 '18 at 02:25

0 Answers0