Issues renewing with non-existant CAA


Since at least 12 hours, when my ACME client decided my currently issued certificate should be renewed, I'm having issues getting a new certificate. In particular, the ACME production server (haven't checked in the testing one) is returning

[{"type":"urn:ietf:params:acme:error:caa","detail":"Domain is rejected due to CAA forbids issuance","code":403,"message":"CAA","details":"HTTP 403 Forbidden"}]

(I tried to email you with more account details but Outlook says my IP is banned, most probably not by my own reputation but the ISP I'm using. If you can cross the information between the users in here and the accounts registered in the ACME server, I'm using the same email addresses in both.)

It's worth noting that I don't have a CAA RR in this domain, nor its parent, nor its parents' parent (which is the TLD). The way I understand RFC 8659 Section 3, no action should be taken if no CAA Relevant RRset is found.

This domain and all the others I've certs issued by Buypass have been working with the same setup (no CAA RRs) for the last 2-3 years.

Is this expected behaviour? Is a CAA RR required now if I want to get Buypass-issued certs?

Thanks in advance.

3replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi. Could you please send us an email to either support@buypass.com or kundeservice@buypass.no with some more information?

    Have a nice day!

    • NOC
    • NOC
    • 1 yr ago
    • Reported - view

    Hi Daniel,

    I tried doing so before creating an account here, but as the post says, I wasn't able:

    support@buypass.com: 550 5.7.511 Access denied, banned sender[[REDACTED]]. To request removal from this list please forward this message to delist@messaging.microsoft.com. For more information please go to  http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410) [HE1EUR04FT019.eop-eur04.prod.protection.outlook.com]

    This is most certainly the filter being overzealous and baning all of AS24940.

    I only tried against @buypass.com,  but I guess it's Outlook behind @buypass.no,  correct? If that isn't the case, I can give it a shot.

    • NOC
    • NOC
    • 1 yr ago
    • Reported - view

    Well, my certificate finally got issued. As I now found out, I self-inducted a small outage due to DNSSEC misconfiguration. In this particular case, the RRSIG covering DNSKEYs was expired. Combined with long TTLs, it took me almost 2 days to realize about the issue.

    If this indeed the reason why the certificate wasn't issued, then I believe the message about CAA being "misconfigured" is misleading.

Like Follow
  • Status Answered
  • 1 yr agoLast active
  • 3Replies
  • 229Views
  • 2 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.

Sign-up using free email domains have been blocked due to increased spam. https://community.forumbee.com/t/63zsyt/blocked-email-domains