thewatertower.org

linux, puppet, and stuff that comes along for the ride

Resolving wordpress.com Let’s Encrypt TLS issue: “update or remove the CAA DNS records”

I discovered this site was returning an HTTP Strict Transport Security (HSTS) error in Firefox today, and didn’t have a valid certificate.

Issuing a Let’s Encrypt certificate was failing:

This domain has CAA DNS records that do not allow Let's Encrypt to issue a certificate. Please update or remove the CAA DNS records.

TL;DR

To continue forwarding my personal domain to WordPress, I needed to change my DNS from a CNAME to A records.

Longer version

When I started paying for wordpress.com to host this site, it seems the guidance was to use a CNAME DNS record, and it’d worked since 2018.

At some point in the past, I moved DNS for my domain to Cloudflare, and this was what was being returned:

$ dig blog.thewatertower.org -t caa
;; ANSWER SECTION:
blog.thewatertower.org.	1	IN	CNAME	watertower.home.blog.
watertower.home.blog.	6901	IN	CNAME	home.blog.
home.blog.		556	IN	CAA	0 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/36334489"
  1. Upgrades > Domains
  2. Change the primary site address to the default site domain.
  3. Click on the externally defined domain, in this case blog.thewatertower.org
  4. On the right: Delete .. Remove this domain connection permanently
  5. Continue past the scary ‘why are you leaving?’ screen.
  6. Run through the process again to add your own domain, selecting advanced mode.
  7. WordPress will instruct you to set up two A records
  8. Set these up, wait for them to propagate.
    dig blog.thewatertower.org -t a
  9. In Upgrades > Domains, SSL will likely show as pending for the domain. Click on that, and then under Domain security there’ll be an option to issue a certificate.

I did try setting up a CAA record for blog.thewatertower.org. The record didn’t seem to propagate. If I asked Cloudflare, it would return the record:

$ dig @1.1.1.1  blog.thewatertower.org caa
;; ANSWER SECTION:
blog.thewatertower.org.	900	IN	CAA	0 issuewild "letsencrypt.org"

This was what the Cloudflare UI had guided me to set up, copying bits from the home.blogs. record.

Not clear why this just stopped working. I guess WordPress added the CAA record.

More Posts

Leave a comment

, ,

android bionic cameras centos7 certificates ci containers disk elk fedora firewalld firmware git gitlab gitlab-runner hardware hdmi heimdall java jira kickstart kvm libvirt lineage logserver lvm NetworkManager openjdk pi puppet puppet-apply PXE rhel rng ruby samsung ssh sshd systemd tftp tls ubi ubuntu webcams wileyfox