letstencrypt not working due to CAA error

[INF] Current interactsh version 1.2.4 (latest)
[INF] Requesting SSL Certificate for: [.mydomain.tld, mydomain.tld]
1.7417081488911262e+09 info obtain acquiring lock {"identifier": ".mydomain.tld"}
1.7417081488913767e+09 info maintenance started background certificate maintenance {"cache": "0xc000622380"}
1.741708148892235e+09 info obtain lock acquired {"identifier": ".mydomain.tld"}
1.741708148892648e+09 info obtain obtaining certificate {"identifier": ".mydomain.tld"}
1.741708148893196e+09 info waiting on internal rate limiter {"identifiers": [".mydomain.tld"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "admin@mydomain.tld"}
1.741708148893231e+09 info done waiting on internal rate limiter {"identifiers": [".mydomain.tld"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "admin@mydomain.tld"}
1.7417081499733484e+09 info acme_client trying to solve challenge {"identifier": ".mydomain.tld", "challenge_type": "dns-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
1.7417082205282102e+09 error acme_client cleaning up solver {"identifier": ".mydomain.tld", "challenge_type": "dns-01", "error": "no memory of presenting a DNS record for "_acme-challenge.mydomain.tld" (usually OK if presenting also failed)"}
1.741708220528238e+09 error acme_client challenge failed {"identifier": ".mydomain.tld", "challenge_type": "dns-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "During secondary validation: While processing CAA for .mydomain.tld: DNS problem: query timed out looking up CAA for mydomain.tld", "instance": "", "subproblems": []}}
1.7417082205282562e+09 error acme_client validating authorization {"identifier": ".mydomain.tld", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "During secondary validation: While processing CAA for .mydomain.tld: DNS problem: query timed out looking up CAA for mydomain.tld", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/2275367196/362493891656", "attempt": 1, "max_attempts": 3}
1.741708220528274e+09 error obtain could not get certificate from issuer {"identifier": ".mydomain.tld", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 0 urn:ietf:params:acme:error:dns - During secondary validation: While processing CAA for .mydomain.tld: DNS problem: query timed out looking up CAA for mydomain.tld"}
1.741708220528282e+09 info obtain releasing lock {"identifier": ".mydomain.tld"}
[ERR] An error occurred while applying for a certificate, error: [.mydomain.tld] Obtain: [*.mydomain.tld] solving challenge: .mydomain.tld: [.mydomain.tld] authorization failed: HTTP 0 urn:ietf:params:acme:error:dns - During secondary validation: While processing CAA for *.mydomain.tld: DNS problem: query timed out looking up CAA for mydomain.tld (ca=https://acme-v02.api.letsencrypt.org/directory)
[ERR] Could not generate certs for auto TLS, https will be disabled
[ERR] An error occurred while preparing tls configuration, error: no certificates provided

[dwisiswant0]

"DNS problem: query timed out looking up [...]" can happen for two reasons:

• There are no CAA records in the DNS configuration for the target domain.
• Your DNS resolvers can't reach the domain's DNS server - this is likely a connectivity issue on your end. Try changing the DNS resolvers using the -r/-resolvers flag.

[dwisiswant0]

Have you had the chance to try the recommendations I provided earlier? If so, could you share the results? I need more details to better understand the situation.

For now, I will be closing this issue, as I don’t have enough information to proceed with further investigation. However, if you are still encountering the same problem, please feel free to reopen the issue and provide additional details. This will help us look into it more thoroughly and work towards a resolution.

[kur4ge]

According to the instructions on Certificate Authority Authorization, a CAA return needs to be configured in order to use Let’s Encrypt for signing. I placed a coredns in front of interactsh to set the CAA value.

Here is my configuration: (172.21.0.1 is the IP address of the interactsh instance)

mydomain.tld {

   forward . 172.21.0.1 {
	force_tcp
   }

   template IN CAA mydomain.tld {
      answer "{{ .Name }} 0 IN CAA 0 issue \"letsencrypt.org\""
   }

}

@dwisiswant0 @mintpu