Failed to sign the SSL certification for my domain

Mocz · October 3, 2022, 12:00pm

My YunoHost server

Hardware: VPS bought online / AWS Lightsail / 1GB ram + 1v CPU
YunoHost version: 11.0.9.15 (stable)
I have access to my server : through the webadmin | direct access via keyboard
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I tried to sign the SSL certification for my domain(liumo.art), but it failed, I want to know how to fix it.

Here is the link of the full log: https://paste.yunohost.org/raw/aworofivaw

Thanks!

Aleks · October 3, 2022, 2:15pm

The error is:

'detail': 'CAA record for domain2.tld prevents issuance'

Do you have more info on what’s the value for the CAA record for that domain ?

Mocz · October 3, 2022, 5:51pm

Many Thanks for your reminding! I delete the CAA record of the domain and the problem solved. But I still want to know that, does the CAA record be a required field for my domain? What will be the problem if I delete that record? Dose the value of CAA 「128 issue “letsencrypt.org”」a right record? Thanks!

Aleks · October 6, 2022, 7:14pm

The CAA is not really recommended, it’s merely a “security bonus”

What it does is that it prevents any other certification authority to emit a certificate for your domain … which covers some (in my opinion) elaborated threat model …

You can have a perfectly fine running server without a CAA record

Mocz · October 8, 2022, 7:06am

Got it. Thank you!

system · November 7, 2022, 7:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.