Buypass cannot sign CN domain names, but letsencrypt.org can. The CAA settings of both are the same.
Buypass cannot sign CN domain names, but letsencrypt.org can. The CAA settings of both are the same.
Cache-Control: no-store
Content-Length: 0
Date: Tue, 21 May 2024 05:47:05 GMT
Link: <https://api.buypass.com/acme/directory>; rel="index"
Replay-Nonce: YWVkNDkwYmQtZjFkNy00OWUzLTlkMTItZWEwMzI3YjNjM2Vh
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Strict-Transport-Security: max-age=63072000
2024-05-21 13:47:04,843:DEBUG:acme.client:Storing nonce: YWVkNDkwYmQtZjFkNy00OWUzLTlkMTItZWEwMzI3YjNjM2Vh
2024-05-21 13:47:04,843:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "lens.steppereyewear.cn"\n }\n ]\n}'
2024-05-21 13:47:04,849:DEBUG:acme.client:Sending POST request to https://api.buypass.com/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYXBpLmJ1eXBhc3MuY29tL2FjbWUvYWNjdC90dXpqeEZtTWl0M2ZQdyIsICJub25jZSI6ICJZV1ZrTkRrd1ltUXRaakZrTnkwME9XVXpMVGxrTVRJdFpXRXdNekkzWWpOak0yVmgiLCAidXJsIjogImh0dHBzOi8vYXBpLmJ1eXBhc3MuY29tL2FjbWUvbmV3LW9yZGVyIn0",
"signature": "k5MCjwSl2K204GH_YXrQRjYXHNZK1TwV4DZbOJpzPlNK5rFP9MOl4NZ8gAR_lU2OJkUmTJHdAVomTUKuEjm3zIajnqOPIDETm9RMInwN5zYsTsNKTC2_pybPHwPeDxYP1F4YM8lQFx4bF3Z1ZTqdE331KWQkFwQVT3GVBKWMbUtbeNWw31eJ6i8ZJUhI1QHc9OkXfb6pfXUoYsLVJ5OjIq7p8H0XF5Hh7YK01JTCYqejkhuqHXXksltQ0N1ctAYbobrfnHUYaJFqtwyDHUqFJTi-43i-AUVzdVuS2xJ4FYexBkPjW8XjVw9Eg3GoZGD5aBHJfikKHV4p0hsdSbrrKw",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImxlbnMuc3RlcHBlcmV5ZXdlYXIuY24iCiAgICB9CiAgXQp9"
}
2024-05-21 13:47:11,271:DEBUG:urllib3.connectionpool:https://api.buypass.com:443 "POST /acme/new-order HTTP/1.1" 403 None
2024-05-21 13:47:11,272:DEBUG:acme.client:Received response:
HTTP 403
Cache-Control: no-store
Content-Type: application/problem+json
Date: Tue, 21 May 2024 05:47:06 GMT
Replay-Nonce: YTI1N2UzMWQtNWQwZS00ZmM1LWEyN2YtNGFlOTFmZTcxY2Zi
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=63072000
{"type":"urn:ietf:params:acme:error:caa","title":"Forbidden","status":403,"detail":"Domain is rejected due to CAA forbids issuance","instance":"/acme/new-order"}
2024-05-21 13:47:11,272:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 1294, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 135, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 406, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 886, in new_order
return self.client.new_order(csr_pem)
File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 668, in new_order
response = self._post(self.directory['newOrder'], order)
File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 97, in _post
return self.net.post(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1201, in post
return self._post_once(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1214, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1072, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Domain is rejected due to CAA forbids issuance :: Forbidden
2024-05-21 13:47:11,276:ERROR:certbot._internal.log:An unexpected error occurred:
2024-05-21 13:47:11,276:ERROR:certbot._internal.log:Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Domain is rejected due to CAA forbids issuance :: Forbidden
10 replies
-
Hi. We have not implemented support for this attribute as of yet.
-
I noticed the same issue today. Last renewal was in January and then it was working fine. CAA records have not changed and includes both buypass.com and letsencrypt.org but only letsencrypt.org issuer is working at the moment. We need a renewal soon.
-
We have the same issue, used to work but all new renewal and certs are failing
-
Looking into the caa issue now.
-
I also got the same issue when trying to renew our certificates now, used to work, but now I get the following on the request/response (from the letsencrypt.log file):
Request: Sending POST request to https://api.buypass.com/acme/new-order Response: Domain is rejected due to CAA forbids issuance