Let's Encrypt -- "DNS ... query timed out looking up CAA for ..."

I have been using Let's Encrypt on a few domains for a couple of months now, and it generally has been working. I was going through renewing the certs, and for one of the domains I get the following error message (in the returned JSON object at challenges[1].error.detail):

DNS problem: query timed out looking up CAA for [somedomain.com]

I tried looking up the error, but even Google found zero results (as of this writing). For the naysayers: Yes, this domain (exactly as shown in the error message) is valid and fully accessible and pingable from afar.

There is an important predicament (clue) here, however, as to why this condition has sprung up. I had the settings for this domain set to redirect all traffic to HTTPS when I first tried renewing this particular domain. It seems that LE tried accessing the server at the HTTPS and failed. Since then I have changed the server settings so that the domain is not redirected to HTTPS for the acme-challenge folder. The problem seems to be that LE is remembering that a previous request was redirected, and now it does not want to access the HTTP URL instead. The challenges[1].validationRecord has two entries, one at [0] for HTTP and one at [1] for HTTPS, so clearly LE is aware that the server can be accessed at the HTTP address as well. Moreover, I can access the validation check file (on the domain in question) at the URL as given in challenges[1].validationRecord[0].url just fine without any issues.

My question is: How do I make LE forget that I tried requesting a cert while having the server set to redirect all traffic to HTTPS? Hence, how do I make LE use the HTTP URL instead?


Solution 1:

Let's Encrypt doesn't keep track of previous redirects. You can either use the HTTP or HTTPs version for validation.

Your error highlights a different problem

DNS problem: query timed out looking up CAA for [somedomain.com]

The validation system was not able to complete a DNS lookup of the domain. It may be possible that the DNS provider you are using had some problem, or that the route between Let's Encrypt servers and your server had some network issue.

This is a similar problem, described on the official LE community forum.

I think the problem is on the DN look-up step. There is no CAA record. Somehow it took very long time for domain name server to respond. Here are some results Osiris sent to me. He mentioned that getting ip is fast, but 'one but last step is often quite slow'. Slowness could be the reason for failing at CAA checking step.

and

Based on the original error and those times, it's very likely there are some problems with the DNS servers you're using or the route to them from Let's Encrypt's data center, and it's causing timeouts.

Investigate your DNS settings, and if the lookup is successful retry to submit the certificate request after some time.