CAA record issue

[neufuse Veteran]

This one is a bit annoying because it's also dealing with a 3rd party...

 

We have a website that is ran by a vendor and they of course use cPanel as their management system... We control DNS and the domain, they just handle the website.

 

Our site is set up so we have an A record of WWW and A record of @ pointing to their hosting server IP.

 

Our CAA records have the following

 

Quote

 

ourdomain.com. 0 ISSUE LETSENCRYPT.ORG

 

ourdomain.com. 0 ISSUE SECTIGO.COM

ourdomain.com. 0 IODEF MAILTO:ADMIN@OURDOMAIN.COM

those two are added because they are requiring us to use lets encrypt for our public site (We've tried to get them to use a better commercial SSL provider but they either don't understand how to in cPanel or just don't to take the effort to use a cert we are willing to pay for)

 

but here's the issue... the cert gets issued from lets encrypt fine, renews every 3 months or so with no issues, but the host is insisting we have CAA set up wrong.

 

the Cert that is generated is for ourdomain.com with a SAN of www.ourdomain.com because that's what it auto generates.

 

cPanel is reporting back this warning from LetsEncrypt

 

Quote

WARN “Let’s Encrypt™” HTTP DCV error (www.ourdomain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for www.ourdomain.com - the domain's nameservers may be malfunctioning)

now www is an A record in the ourdomain.com zone, we don't have a zone for WWW in our domain (an A record is just an address record right?) Let's encrypt is claiming I have to add a CAA record for our "www zone", should it not just use the CAA record from ourdomain.com's zone since it's an A record for www?

 

It only issues this warning for WWW.ourdomain.com but not for the base ourdomain.com

 

We have wildcard certs on a site we host ourself and never had this issue with a wild card cert (from Network solutions)