Hi all!
First some info: I did reproduce this, so I have actually verified this happens (to me at least).
Lets go. Here is my CAA info, which I have with every domain I host:
@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issue "sectigo.com"
@ IN CAA 0 issuewild ";"
@ IN CAA 0 iodef "mailto:me@mydomain.xxx"
Most of my domains use Letsencrypt, but some use Sectigo certs, hence both there so I can change certs if needed without editing dns records.
Now, when I renew manually or cert gets renewed automatically (Letsencrypt), the corresponding CAA record, in this case "@ IN CAA 0 issue "letsencrypt.org"" gets removed from the records for some reason!? This obviously prevents next renewal after two months or so, and I get e-mails saying renewal failed because CAA prevents it.
I don't know why cert renewal even messes with dns records, but this is what happens.
Hope the issue is clear enough, thanks!
- Yorkki
Comments
Hi,
Thanks for contacting us.
I assume it's happening because we add those CAA records automatically upon DNS validation with certbot for Let's Encrypt and then remove them.
Jamie, I think the improvement would be is to test if the records on the zone file existed in the first place and if they did, leave them as they were? Perhaps, there is no reason to remove those CAA records at all and just leave them be?
Submitted by Yorkki on Wed, 01/13/2021 - 11:18 Comment #2
Note: The problem with removing the CAA record is, that when you have subdomain, for example outside your Virtualmin installation renewing cert, outside of your actual Bind installation, the sub-server is not able to touch or change/add/remove any dns records -> hence unable to renew cert if the CAA record is not in place.
Submitted by JamieCameron on Wed, 01/13/2021 - 23:24 Comment #3
Sorry about this, we didn't consider this kind of setup with the CAA records. The next Virtualmin release won't cause this kind of breakage.
Submitted by Yorkki on Wed, 01/13/2021 - 23:28 Comment #4
Thanks guys, appreciate it, keep up the good work!