I cannot configure the CAA section in YUNOHOST DNS settings

Support
1

My YunoHost server

Hardware: VPS bought online (Debian 11.9)
YunoHost version: 11.2.11.3 (stable)
I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hello dear friends… Yes, I have been trying to set up a fully stable YUNOHOST for 2 days. Since the domain company I purchased does not have its own CAA redirects, I make YUNOHOST DNS settings via Cloudflare. Let me explain my problem as follows, supporting it with visuals.

image (3)
image (3)1869×1769 385 KB

Yes, as you can see above, I can’t adjust the settings for CAA certificate and cloudflare. And I’ve been on this for 2 days and I’ve been trying to adjust it. My Cloudflare DNS records are as you can see above and I really can’t understand where I’m going wrong. I’ve tried all possibilities.

My YUNOHOST details are below.

=================================
Base system (basesystem)
=================================

[INFO] Server hardware architecture is vmware amd64
  - Server model is VMware, Inc. VMware Virtual Platform

[INFO] Server is running Linux kernel 5.10.0-29-amd64

[INFO] Server is running Debian 11.9

[INFO] Server is running YunoHost 11.2.11.3 (stable)
  - yunohost version: 11.2.11.3 (stable)
  - yunohost-admin version: 11.2.5 (stable)
  - moulinette version: 11.2 (stable)
  - ssowat version: 11.2 (stable)



=================================
Internet connectivity (ip)
=================================

[SUCCESS] Domain name resolution is working!

[SUCCESS] The server is connected to the Internet through IPv4!
  - Global IP: xx.xx.xx.xx
  - Local IP: xx.xx.xx.xx



=================================
DNS records (dnsrecords)
=================================

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category basic)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)

[WARNING] Some DNS records are missing or incorrect for domain maindomain.tld (category extra)
  - Please check the documentation at https://yunohost.org/dns_config if you need help configuring DNS records.
  - The following DNS record does not seem to follow the recommended configuration:
    Type: CAA
    Name: @
    Current value: ['0 issuewild "digicert.com; cansignhttpexchanges=yes"', '0 issuewild "letsencrypt.org"', '0 issue "pki.goog; cansignhttpexchanges=yes"', '0 issuewild "comodoca.com"', '0 issue "comodoca.com"', '0 issue "digicert.com; cansignhttpexchanges=yes"', '0 issuewild "pki.goog; cansignhttpexchanges=yes"', '0 issue "letsencrypt.org"']
    Expected value: 0 issue "letsencrypt.org"



=================================
Ports exposure (ports)
=================================

[SUCCESS] Port 22 is reachable from the outside.
  - Exposing this port is needed for admin features (service ssh)

[SUCCESS] Port 25 is reachable from the outside.
  - Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 80 is reachable from the outside.
  - Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 443 is reachable from the outside.
  - Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 587 is reachable from the outside.
  - Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 993 is reachable from the outside.
  - Exposing this port is needed for email features (service dovecot)

[SUCCESS] Port 5222 is reachable from the outside.
  - Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5269 is reachable from the outside.
  - Exposing this port is needed for xmpp features (service metronome)



=================================
Web (web)
=================================

[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.



=================================
Email (mail)
=================================

[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).

[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!

[ERROR] Reverse DNS is not correctly configured for IPv4. Some emails may fail to get delivered or be flagged as spam.
  - Current reverse DNS: nacsshost.com
    Expected value: maindomain.tld
  - You should first try to configure reverse DNS with maindomain.tld in your internet router interface or your hosting provider interface. (Some hosting providers may require you to send them a support ticket for this).
  - Some providers won't let you configure your reverse DNS (or their feature might be broken…). If you are experiencing issues because of this, consider the following solutions:
     - Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
    - A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
    - Or it's possible to switch to a different provider

[SUCCESS] The IPs and domains used by this server do not appear to be blacklisted

[SUCCESS] 0 pending emails in the mail queues



=================================
Services status check (services)
=================================

[SUCCESS] Service dnsmasq is running!

[SUCCESS] Service dovecot is running!

[SUCCESS] Service fail2ban is running!

[SUCCESS] Service metronome is running!

[SUCCESS] Service mysql is running!

[SUCCESS] Service nginx is running!

[SUCCESS] Service php7.4-fpm is running!

[SUCCESS] Service postfix is running!

[SUCCESS] Service redis-server is running!

[SUCCESS] Service rspamd is running!

[SUCCESS] Service slapd is running!

[SUCCESS] Service ssh is running!

[SUCCESS] Service yunohost-api is running!

[SUCCESS] Service yunohost-firewall is running!

[SUCCESS] Service yunomdns is running!



=================================
System resources (systemresources)
=================================

[SUCCESS] The system still has 7.0 GiB (91%) RAM available out of 7.8 GiB.

[INFO] The system has no swap at all. You should consider adding at least 512 MiB of swap to avoid situations where the system runs out of memory.
  - Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.

[SUCCESS] Storage / (on device /dev/sda1) still has 44 GiB (93.6%) space left (out of 47 GiB)!



=================================
System configurations (regenconf)
=================================

[SUCCESS] All configuration files are in line with the recommended configuration!



=================================
Applications (apps)
=================================

[SUCCESS] All installed apps respect basic packaging practices
2

Welcome!

Here is Cloudflare’s documentation on why they add these CAA records: Certification Authority Authorization (CAA) FAQ · Cloudflare SSL/TLS docs

  1. If you do not need Cloudflare’s Universal SSL (my guess is not), you can disable it and the extra CAA will be removed.

  2. If you want to keep Cloudflare’s Universal SSL, just Ignore the Diagnosis warning. As you can see Let’s Encrypt is listed in there so you should be able to generate certificates anyways.

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.