Netlify site name: optimade-providers.netlify.app
Custom domain: providers.optimade.org
First: SniCertificate::CertificateInvalidError: Unable to verify challenge for providers.optimade.org
We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate"
Later: “Acme::Client::Error::RateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.”
I’ve tracked the issue down to a CAA record problem:
The sysadmins handling our top domain
optimade.orgwants only the CAA record
sectigo.comthere. There would be security implications allowing letsencrypt to issue a certificate for this top domain, and there is no reason to allow this.
providers.optimade.orgis a CNAME to your servers. A subdomain with a CNAME record is formally not allowed to have other records, so we shouldn’t set a CAA record here.
You do not set any CAA records on the CNAME target.
This means that CAA resolution ends up finding the top domain CAA record that only allows
sectigo.com. Hence, the letsencrypt renewal fails.
We don’t have the same issue with other subdomains to
optimade.org hosted using GitHub pages, because they sensibly set CAA records for letsencrypt on their CNAME targets to avoid this issue.
Is there a reason you do not do the same thing? As far as I can see, if you won’t set letsencrypt CAA records at your end user CNAME targets the way GitHub pages do, we will have to “unnecessarily” provision a sectigo certificate also for our