21.1.5 LET'S ENCRYPT: CAA record for [Domain] prevents issuance (SOLVED)

[Realterminator]

Hello Knowledgeable,
I hope that one of you can tell me what is wrong.
I have Opnsense set up from scratch and get above error

Log is attached

Code: [Select]

[Fri Apr 23 09:31:50 CEST 2021] Using config home:/var/etc/acme-client/home
[Fri Apr 23 09:31:50 CEST 2021] Running cmd: issue
[Fri Apr 23 09:31:50 CEST 2021] _main_domain='opnsense.home.example.com'
[Fri Apr 23 09:31:50 CEST 2021] _alt_domains='no'
[Fri Apr 23 09:31:50 CEST 2021] Using config home:/var/etc/acme-client/home
[Fri Apr 23 09:31:50 CEST 2021] default_acme_server
[Fri Apr 23 09:31:50 CEST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Apr 23 09:31:50 CEST 2021] DOMAIN_PATH='/var/etc/acme-client/home/opnsense.home.example.com'
[Fri Apr 23 09:31:50 CEST 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Fri Apr 23 09:31:50 CEST 2021] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri Apr 23 09:31:50 CEST 2021] GET
[Fri Apr 23 09:31:50 CEST 2021] url='https://acme-v02.api.letsencrypt.org/directory'
[Fri Apr 23 09:31:50 CEST 2021] timeout=
[Fri Apr 23 09:31:50 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.j3HZeIHf '
[Fri Apr 23 09:31:51 CEST 2021] ret='0'
[Fri Apr 23 09:31:51 CEST 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Fri Apr 23 09:31:51 CEST 2021] ACME_NEW_AUTHZ
[Fri Apr 23 09:31:51 CEST 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Apr 23 09:31:51 CEST 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Fri Apr 23 09:31:51 CEST 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Fri Apr 23 09:31:51 CEST 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Fri Apr 23 09:31:51 CEST 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri Apr 23 09:31:51 CEST 2021] ACME_VERSION='2'
[Fri Apr 23 09:31:51 CEST 2021] Le_NextRenewTime
[Fri Apr 23 09:31:51 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Apr 23 09:31:51 CEST 2021] _on_before_issue
[Fri Apr 23 09:31:51 CEST 2021] _chk_main_domain='opnsense.home.example.com'
[Fri Apr 23 09:31:51 CEST 2021] _chk_alt_domains
[Fri Apr 23 09:31:51 CEST 2021] Le_LocalAddress
[Fri Apr 23 09:31:51 CEST 2021] d='opnsense.home.example.com'
[Fri Apr 23 09:31:51 CEST 2021] Check for domain='opnsense.home.example.com'
[Fri Apr 23 09:31:51 CEST 2021] _currentRoot='dns_doapi'
[Fri Apr 23 09:31:51 CEST 2021] d
[Fri Apr 23 09:31:51 CEST 2021] _saved_account_key_hash is not changed, skip register account.
[Fri Apr 23 09:31:51 CEST 2021] Read key length:4096
[Fri Apr 23 09:31:51 CEST 2021] _createcsr
[Fri Apr 23 09:31:51 CEST 2021] Single domain='opnsense.home.example.com'
[Fri Apr 23 09:31:51 CEST 2021] Getting domain auth token for each domain
[Fri Apr 23 09:31:51 CEST 2021] d
[Fri Apr 23 09:31:51 CEST 2021] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Apr 23 09:31:51 CEST 2021] payload='{"identifiers": [{"type":"dns","value":"opnsense.home.example.com"}]}'
[Fri Apr 23 09:31:51 CEST 2021] RSA key
[Fri Apr 23 09:31:52 CEST 2021] HEAD
[Fri Apr 23 09:31:52 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri Apr 23 09:31:52 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb  -I  '
[Fri Apr 23 09:31:53 CEST 2021] _ret='0'
[Fri Apr 23 09:31:53 CEST 2021] POST
[Fri Apr 23 09:31:53 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri Apr 23 09:31:53 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:31:54 CEST 2021] _ret='0'
[Fri Apr 23 09:31:54 CEST 2021] code='201'
[Fri Apr 23 09:31:54 CEST 2021] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/120250055/9241257541'
[Fri Apr 23 09:31:54 CEST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/120250055/9241257541'
[Fri Apr 23 09:31:54 CEST 2021] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/12555764122'
[Fri Apr 23 09:31:54 CEST 2021] payload
[Fri Apr 23 09:31:54 CEST 2021] POST
[Fri Apr 23 09:31:54 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/12555764122'
[Fri Apr 23 09:31:54 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:31:55 CEST 2021] _ret='0'
[Fri Apr 23 09:31:55 CEST 2021] code='200'
[Fri Apr 23 09:31:55 CEST 2021] d='opnsense.home.example.com'
[Fri Apr 23 09:31:55 CEST 2021] Getting webroot for domain='opnsense.home.example.com'
[Fri Apr 23 09:31:55 CEST 2021] _w='dns_doapi'
[Fri Apr 23 09:31:55 CEST 2021] _currentRoot='dns_doapi'
[Fri Apr 23 09:31:55 CEST 2021] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg","token":"soaovEwT3XYXmWIrfhuA3W32BpkOP-sJ8Pm-yf_hM3c"'
[Fri Apr 23 09:31:55 CEST 2021] token='soaovEwT3XYXmWIrfhuA3W32BpkOP-sJ8Pm-yf_hM3c'
[Fri Apr 23 09:31:55 CEST 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:31:55 CEST 2021] keyauthorization='soaovEwT3XYXmWIrfhuA3W32BpkOP-sJ8Pm-yf_hM3c.D4qT5LVa92mckKnQMnTveG8T0qwEDojFoqSZamw7NBE'
[Fri Apr 23 09:31:55 CEST 2021] dvlist='opnsense.home.example.com#soaovEwT3XYXmWIrfhuA3W32BpkOP-sJ8Pm-yf_hM3c.D4qT5LVa92mckKnQMnTveG8T0qwEDojFoqSZamw7NBE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg#dns-01#dns_doapi'
[Fri Apr 23 09:31:55 CEST 2021] d
[Fri Apr 23 09:31:55 CEST 2021] vlist='opnsense.home.example.com#soaovEwT3XYXmWIrfhuA3W32BpkOP-sJ8Pm-yf_hM3c.D4qT5LVa92mckKnQMnTveG8T0qwEDojFoqSZamw7NBE#https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg#dns-01#dns_doapi,'
[Fri Apr 23 09:31:55 CEST 2021] d='opnsense.home.example.com'
[Fri Apr 23 09:31:55 CEST 2021] _d_alias
[Fri Apr 23 09:31:55 CEST 2021] txtdomain='_acme-challenge.opnsense.home.example.com'
[Fri Apr 23 09:31:55 CEST 2021] txt='_uncpSBWS5RZbjow2ouFzICGEPDJU6RMOZ69JoXek6g'
[Fri Apr 23 09:31:55 CEST 2021] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_doapi.sh'
[Fri Apr 23 09:31:55 CEST 2021] Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_doapi.sh
[Fri Apr 23 09:31:55 CEST 2021] Adding txt value: _uncpSBWS5RZbjow2ouFzICGEPDJU6RMOZ69JoXek6g for domain:  _acme-challenge.opnsense.home.example.com
[Fri Apr 23 09:31:55 CEST 2021] Adding TXT record to _acme-challenge.opnsense.home.example.com
[Fri Apr 23 09:31:55 CEST 2021] GET
[Fri Apr 23 09:31:55 CEST 2021] url='https://www.do.de/api/letsencrypt?token=geheim&domain=_acme-challenge.opnsense.home.example.com&value=_uncpSBWS5RZbjow2ouFzICGEPDJU6RMOZ69JoXek6g'
[Fri Apr 23 09:31:55 CEST 2021] timeout=
[Fri Apr 23 09:31:55 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:31:56 CEST 2021] ret='0'
[Fri Apr 23 09:31:56 CEST 2021] The txt record is added: Success.
[Fri Apr 23 09:31:56 CEST 2021] Sleep 20 seconds for the txt records to take effect
[Fri Apr 23 09:32:16 CEST 2021] ok, let's start to verify
[Fri Apr 23 09:32:16 CEST 2021] Verifying: opnsense.home.example.com
[Fri Apr 23 09:32:16 CEST 2021] d='opnsense.home.example.com'
[Fri Apr 23 09:32:16 CEST 2021] keyauthorization='soaovEwT3XYXmWIrfhuA3W32BpkOP-sJ8Pm-yf_hM3c.D4qT5LVa92mckKnQMnTveG8T0qwEDojFoqSZamw7NBE'
[Fri Apr 23 09:32:16 CEST 2021] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:16 CEST 2021] _currentRoot='dns_doapi'
[Fri Apr 23 09:32:16 CEST 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:16 CEST 2021] payload='{}'
[Fri Apr 23 09:32:16 CEST 2021] POST
[Fri Apr 23 09:32:16 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:16 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:32:17 CEST 2021] _ret='0'
[Fri Apr 23 09:32:17 CEST 2021] code='200'
[Fri Apr 23 09:32:17 CEST 2021] trigger validation code: 200
[Fri Apr 23 09:32:17 CEST 2021] sleep 2 secs to verify
[Fri Apr 23 09:32:19 CEST 2021] checking
[Fri Apr 23 09:32:19 CEST 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:19 CEST 2021] payload
[Fri Apr 23 09:32:19 CEST 2021] POST
[Fri Apr 23 09:32:19 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:19 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:32:20 CEST 2021] _ret='0'
[Fri Apr 23 09:32:20 CEST 2021] code='200'
[Fri Apr 23 09:32:20 CEST 2021] opnsense.home.example.com:Verify error:CAA record for opnsense.home.example.com prevents issuance
[Fri Apr 23 09:32:20 CEST 2021] Skip for removelevel:
[Fri Apr 23 09:32:20 CEST 2021] pid
[Fri Apr 23 09:32:20 CEST 2021] No need to restore nginx, skip.
[Fri Apr 23 09:32:20 CEST 2021] _clearupdns
[Fri Apr 23 09:32:20 CEST 2021] dns_entries='opnsense.home.example.com,_acme-challenge.opnsense.home.example.com,,dns_doapi,_uncpSBWS5RZbjow2ouFzICGEPDJU6RMOZ69JoXek6g,/usr/local/share/examples/acme.sh/dnsapi/dns_doapi.sh
'
[Fri Apr 23 09:32:20 CEST 2021] Removing DNS records.
[Fri Apr 23 09:32:20 CEST 2021] d='opnsense.home.example.com'
[Fri Apr 23 09:32:20 CEST 2021] txtdomain='_acme-challenge.opnsense.home.example.com'
[Fri Apr 23 09:32:20 CEST 2021] aliasDomain='_acme-challenge.opnsense.home.example.com'
[Fri Apr 23 09:32:20 CEST 2021] _currentRoot='dns_doapi'
[Fri Apr 23 09:32:20 CEST 2021] txt='_uncpSBWS5RZbjow2ouFzICGEPDJU6RMOZ69JoXek6g'
[Fri Apr 23 09:32:20 CEST 2021] d_api='/usr/local/share/examples/acme.sh/dnsapi/dns_doapi.sh'
[Fri Apr 23 09:32:20 CEST 2021] Removing txt: _uncpSBWS5RZbjow2ouFzICGEPDJU6RMOZ69JoXek6g for domain: _acme-challenge.opnsense.home.example.com
[Fri Apr 23 09:32:20 CEST 2021] Deleting resource record _acme-challenge.opnsense.home.example.com
[Fri Apr 23 09:32:20 CEST 2021] GET
[Fri Apr 23 09:32:20 CEST 2021] url='https://www.do.de/api/letsencrypt?token=geheim&domain=_acme-challenge.opnsense.home.example.com&action=delete'
[Fri Apr 23 09:32:20 CEST 2021] timeout=
[Fri Apr 23 09:32:20 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:32:21 CEST 2021] ret='0'
[Fri Apr 23 09:32:21 CEST 2021] Removed: Success
[Fri Apr 23 09:32:21 CEST 2021] _on_issue_err
[Fri Apr 23 09:32:21 CEST 2021] Please check log file for more details: /var/log/acme.sh.log
[Fri Apr 23 09:32:21 CEST 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:21 CEST 2021] payload='{}'
[Fri Apr 23 09:32:21 CEST 2021] POST
[Fri Apr 23 09:32:21 CEST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/12555764122/MrEyTg'
[Fri Apr 23 09:32:21 CEST 2021] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header  -L  --trace-ascii /tmp/tmp.bZupw9Cb '
[Fri Apr 23 09:32:21 CEST 2021] _ret='0'
[Fri Apr 23 09:32:21 CEST 2021] code='400'
[Fri Apr 23 09:32:21 CEST 2021] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1d-freebsd  10 Sep 2019
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.1 on Apr 20 2021 04:27:51
   running on FreeBSD version FreeBSD 12.1-RELEASE-p16-HBSD #0  b531d3958f5(stable/21.1)-dirty: Tue Apr 20 11:00:08 CEST 2021     root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP, release 12.1-RELEASE-p16-HBSD, machine amd64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #undef WITH_ABSTRACT_UNIXSOCKET
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #undef WITH_INTERFACE
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #undef WITH_VSOCK
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #undef WITH_READLINE
  #undef WITH_TUN
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #define WITH_LIBWRAP 1
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/


[juere]

According to your attached log file your domain is "home.example.com".
I assume this is not really the case and you have edited the log file for non-disclosure reasons.

CAA records are explained here https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization.
I would check the CAA record of your real domain, you can do this on the OPNsense with

Code: [Select]

host -t CAA myrealdomain.com

and make sure that Let'sEncrypt is allowed to issue certificates by editing the existing CAA record.

[Realterminator]

You save my day

home.example.com.   IN   CAA   0 issue "letsencrypt.org"
home.example.com.   IN   CAA   0 iodef "mailto:webmaster@example.com"