DNS records missing or incorrect for CAA dns entry in cloudflare

moshbit · April 15, 2025, 12:57am

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.0.14
How are you able to access your server: The webadmin
SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: Vanilla, no special setup. Just followed the instructions in the documentation.

Describe your issue

No matter what I do, I can’t get rid of this error:

Some DNS records are missing or incorrect for domain punknomad.com (category extra)

Please check the documentation at DNS zone configuration | Yunohost Documentation if you need help configuring DNS records.
The following DNS record does not seem to follow the recommended configuration:
Type: CAA
Name: @
Current value: [‘0 issuewild “letsencrypt.org”’, ‘0 issuewild “pki.goog; cansignhttpexchanges=yes”’, ‘0 issuewild “ssl.com”’, ‘0 issue “comodoca.com”’, ‘0 issue “digicert.com; cansignhttpexchanges=yes”’, ‘0 issue “letsencrypt.org”’, ‘0 issue “pki.goog; cansignhttpexchanges=yes”’, ‘0 issue “ssl.com”’, ‘0 issuewild “comodoca.com”’, ‘0 issuewild “digicert.com; cansignhttpexchanges=yes”’]
Expected value: 0 issue “letsencrypt.org”

I’ve searched the forums and the only thing close I could find was a thread about turning off then back on universal ssl in cloudflare. I tried that but with no effect. It appears that cloudflare is tacking on a bunch of extra issuers that the yunohost isn’t expecting to be there, and I don’t know how to fix it. Any help would be much appreciated!

Share relevant logs or error messages

=================================
Base system (basesystem)

[INFO] Server hardware architecture is bare-metal amd64

Server model is To Be Filled By O.E.M. To Be Filled By O.E.M.

[INFO] Server is running Linux kernel 6.1.0-33-amd64

[INFO] Server is running Debian 12.10

[INFO] Server is running YunoHost 12.0.14 (stable)

yunohost version: 12.0.14 (stable)
yunohost-admin version: 12.0.7.1 (stable)
yunohost-portal version: 12.0.10 (stable)
moulinette version: 12.0.4 (stable)
ssowat version: 12.0.3 (stable)

=================================
Internet connectivity (ip)

[SUCCESS] Domain name resolution is working!

[SUCCESS] The server is connected to the Internet through IPv4!

Global IP: xx.xx.xx.xx
Local IP: xx.xx.xx.xx

[SUCCESS] The server is connected to the Internet through IPv6!

Global IP: xx:xx:xx:xx:xx:xx
Local IP: xx:xx:xx:xx:xx:xx

=================================
DNS records (dnsrecords)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category basic)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[WARNING] Some DNS records are missing or incorrect for domain maindomain.tld (category extra)

Please check the documentation at DNS zone configuration | Yunohost Documentation if you need help configuring DNS records.
The following DNS record does not seem to follow the recommended configuration:
Type: CAA
Name: @
Current value: [‘0 issuewild “letsencrypt.org”’, ‘0 issuewild “pki.goog; cansignhttpexchanges=yes”’, ‘0 issuewild “ssl.com”’, ‘0 issue “comodoca.com”’, ‘0 issue “digicert.com; cansignhttpexchanges=yes”’, ‘0 issue “letsencrypt.org”’, ‘0 issue “pki.goog; cansignhttpexchanges=yes”’, ‘0 issue “ssl.com”’, ‘0 issuewild “comodoca.com”’, ‘0 issuewild “digicert.com; cansignhttpexchanges=yes”’]
Expected value: 0 issue “letsencrypt.org”

[SUCCESS] Your domains are registered and not going to expire anytime soon.

maindomain.tld expires in 296 days.

=================================
Ports exposure (ports)

[SUCCESS] Port 22 is reachable from the outside.

Exposing this port is needed for admin features (service ssh)

[SUCCESS] Port 25 is reachable from the outside.

Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 80 is reachable from the outside.

Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 443 is reachable from the outside.

Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 587 is reachable from the outside.

Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 993 is reachable from the outside.

Exposing this port is needed for email features (service dovecot)

=================================
Web (web)

[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.

=================================
Email (mail)

[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).

[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!

[ERROR] No reverse DNS is defined in IPv6. Some emails may fail to get delivered or be flagged as spam.

You should first try to configure reverse DNS with maindomain.tld in your internet router interface or your hosting provider interface. (Some hosting providers may require you to send them a support ticket for this).
Some providers won’t let you configure your reverse DNS (or their feature might be broken…). If your reverse DNS is correctly configured for IPv4, you can try disabling the use of IPv6 when sending emails by running ‘yunohost settings set email.smtp.smtp_allow_ipv6 -v off’. Note: this last solution means that you won’t be able to send or receive emails from the few IPv6-only servers out there.

[SUCCESS] The IPs and domains used by this server do not appear to be blacklisted

[SUCCESS] 0 pending emails in the mail queues

=================================
Services status check (services)

[SUCCESS] Service dnsmasq is running!

[SUCCESS] Service dovecot is running!

[SUCCESS] Service fail2ban is running!

[SUCCESS] Service nginx is running!

[SUCCESS] Service opendkim is running!

[SUCCESS] Service postfix is running!

[SUCCESS] Service slapd is running!

[SUCCESS] Service ssh is running!

[SUCCESS] Service yunohost-api is running!

[SUCCESS] Service yunohost-firewall is running!

[SUCCESS] Service yunohost-portal-api is running!

[SUCCESS] Service yunomdns is running!

=================================
System resources (systemresources)

[SUCCESS] The system still has 30 GiB (97%) RAM available out of 31 GiB.

[SUCCESS] The system has 1024 MiB of swap!

Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.

[SUCCESS] Storage / (on device /dev/md3) still has 3.4 TiB (99.9%) space left (out of 3.4 TiB)!

[SUCCESS] Storage /boot (on device /dev/md2) still has 803 MiB (87%) space left (out of 920 MiB)!

[SUCCESS] Storage /boot/efi (on device /dev/sda1) still has 505 MiB (98.9%) space left (out of 511 MiB)!

=================================
System configurations (regenconf)

[SUCCESS] All configuration files are in line with the recommended configuration!

=================================
Applications (apps)

[SUCCESS] All installed apps respect basic packaging practices

DNS records missing or incorrect for CAA dns entry in cloudflare

Describe your issue

Share relevant logs or error messages

================================= Base system (basesystem)

================================= Internet connectivity (ip)

================================= DNS records (dnsrecords)

================================= Ports exposure (ports)

================================= Web (web)

================================= Email (mail)

================================= Services status check (services)

================================= System resources (systemresources)

================================= System configurations (regenconf)

================================= Applications (apps)