0

Buypass cannot sign CN domain names, but letsencrypt.org can. The CAA settings of both are the same.

Buypass cannot sign CN domain names, but letsencrypt.org can. The CAA settings of both are the same.

 

Cache-Control: no-store
Content-Length: 0
Date: Tue, 21 May 2024 05:47:05 GMT
Link: <https://api.buypass.com/acme/directory>; rel="index"
Replay-Nonce: YWVkNDkwYmQtZjFkNy00OWUzLTlkMTItZWEwMzI3YjNjM2Vh
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Strict-Transport-Security: max-age=63072000

2024-05-21 13:47:04,843:DEBUG:acme.client:Storing nonce: YWVkNDkwYmQtZjFkNy00OWUzLTlkMTItZWEwMzI3YjNjM2Vh
2024-05-21 13:47:04,843:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "lens.steppereyewear.cn"\n    }\n  ]\n}'
2024-05-21 13:47:04,849:DEBUG:acme.client:Sending POST request to https://api.buypass.com/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYXBpLmJ1eXBhc3MuY29tL2FjbWUvYWNjdC90dXpqeEZtTWl0M2ZQdyIsICJub25jZSI6ICJZV1ZrTkRrd1ltUXRaakZrTnkwME9XVXpMVGxrTVRJdFpXRXdNekkzWWpOak0yVmgiLCAidXJsIjogImh0dHBzOi8vYXBpLmJ1eXBhc3MuY29tL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "k5MCjwSl2K204GH_YXrQRjYXHNZK1TwV4DZbOJpzPlNK5rFP9MOl4NZ8gAR_lU2OJkUmTJHdAVomTUKuEjm3zIajnqOPIDETm9RMInwN5zYsTsNKTC2_pybPHwPeDxYP1F4YM8lQFx4bF3Z1ZTqdE331KWQkFwQVT3GVBKWMbUtbeNWw31eJ6i8ZJUhI1QHc9OkXfb6pfXUoYsLVJ5OjIq7p8H0XF5Hh7YK01JTCYqejkhuqHXXksltQ0N1ctAYbobrfnHUYaJFqtwyDHUqFJTi-43i-AUVzdVuS2xJ4FYexBkPjW8XjVw9Eg3GoZGD5aBHJfikKHV4p0hsdSbrrKw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImxlbnMuc3RlcHBlcmV5ZXdlYXIuY24iCiAgICB9CiAgXQp9"
}
2024-05-21 13:47:11,271:DEBUG:urllib3.connectionpool:https://api.buypass.com:443 "POST /acme/new-order HTTP/1.1" 403 None
2024-05-21 13:47:11,272:DEBUG:acme.client:Received response:
HTTP 403
Cache-Control: no-store
Content-Type: application/problem+json
Date: Tue, 21 May 2024 05:47:06 GMT
Replay-Nonce: YTI1N2UzMWQtNWQwZS00ZmM1LWEyN2YtNGFlOTFmZTcxY2Zi
Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=63072000

{"type":"urn:ietf:params:acme:error:caa","title":"Forbidden","status":403,"detail":"Domain is rejected due to CAA forbids issuance","instance":"/acme/new-order"}
2024-05-21 13:47:11,272:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 1421, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 1294, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 135, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 406, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 886, in new_order
    return self.client.new_order(csr_pem)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 668, in new_order
    response = self._post(self.directory['newOrder'], order)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 97, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1201, in post
    return self._post_once(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1214, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1072, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Domain is rejected due to CAA forbids issuance :: Forbidden
2024-05-21 13:47:11,276:ERROR:certbot._internal.log:An unexpected error occurred:
2024-05-21 13:47:11,276:ERROR:certbot._internal.log:Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Domain is rejected due to CAA forbids issuance :: Forbidden
 

10replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi. We have not implemented support for this attribute as of yet.

    Like
  • I noticed the same issue today. Last renewal was in January and then it was working fine. CAA records have not changed and includes both buypass.com and letsencrypt.org but only letsencrypt.org issuer is working at the moment. We need a renewal soon.

    Like
    • Sverre Veel Could you contact customer service with this issue, and the domains affected.

      Like
    • mkon Will do, thanks! 

      Like
  • We have the same issue, used to work but all new renewal and certs are failing

    Like
    • Jarle Hjortland Sverre Veel  Please try again now.

      Like 1
    • mkon Hi, I tried it again today and it is working. Thank you! 

      Like
  • Looking into the caa issue now.

    Like
  • I also got the same issue when trying to renew our certificates now, used to work, but now I get the following on the request/response (from the letsencrypt.log file): 

    Request:
    Sending POST request to https://api.buypass.com/acme/new-order
    Response:
    Domain is rejected due to CAA forbids issuance
    
    Like
    • Cato Mausethagen If there are multiple domains that have issues, please send this in to customer service. Then we can have a closer look.

      Like 1
Like Follow
  • Status Answered
  • 5 mths agoLast active
  • 10Replies
  • 212Views
  • 5 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains