--allow-subset-of-names does not work when CAA record present for one of the provided domains

[JamesBalazs]

My operating system is (include version):

Fedora 32

I installed Certbot with (snap, OS package manager, pip, certbot-auto, etc):

dnf (OS package manager)

I ran this command and it produced this output:

        certbot certonly \
        --force-renew \
        --manual \
        --manual-public-ip-logging-ok \
        --allow-subset-of-names --text \
        --non-interactive \
        --keep-until-expiring \
        --debug \
        --expand \
        --no-self-upgrade \
        --agree-tos \
        --config-dir "/mnt/efs/letsencrypt/config" \
        --work-dir "/mnt/efs/letsencrypt/work" \
        --logs-dir "/mnt/efs/letsencrypt/logs" \
        #{domains}

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.14.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1304, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 341, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 390, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 291, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline,
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 920, in finalize_order
    return cast(ClientV2, self.client).finalize_order(
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 742, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 86, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 1198, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 1211, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 1068, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: Rechecking CAA for "xxxxx.xxxx.xx" and 1 more identifiers failed. Refer to sub-problems for more information

Certbot's behavior differed from what I expected because:

When using --allow-subset-of-names I expect certbot to issue a certificate for any names that do not have errors, even if some do have errors.

Instead, Certbot panics when it finds CAA records that forbid the CA from issuing a certificate for one of the names, and does not continue to issue a certificate for the rest of the names.

[alexzorin]

I think this is an unfortunate side-effect of how Let's Encrypt has implemented its CAA checking.

To the best of my understanding, Let's Encrypt's CA can check CAA records at two different times:

1. One check when initially validating control of your domain
2. One late-stage check during order finalization (right before it issues a certificate), only if the CAA record wasn't checked recently (e.g. in case of a cached authorization from a few days ago).

If you run Certbot with --allow-subset-of-names and Let's Encrypt rejects one of the domains during (1) due to CAA, then Certbot will continue with as many domains as it can anyway. This works as intended.

The issue you are encountering is the (2) situation, where your ACME account already has valid authorizations for your domain (including passing with valid CAA), but the CAA record got changed at a later time to be prohibitive. Certbot does not detect or interpret the finalization CAA error as being relevant to --allow-subset-of-names.

There is probably enough error detail in the finalization error response that Certbot could theoretically detect that order finalization has failed due to CAA of one or more domains, and could recreate the order, to match the behavior of (1).

I don't think it's likely that we would prioritize fixing an issue as obscure as this one, but let's leave it up as a feature request just in case.

[alexzorin]

We'd probably also have to first fix #7046 in order to fix this.

[osirisinferi]

    --force-renew \
    (...)
    --keep-until-expiring \

Slightly offtopic, but aren't those two options mutually exclusive? Please be carefull with --force-renew due to rate limits et cetera.

[JamesBalazs]

@alexzorin I could submit a PR for #7046 and then one to specifically catch the CAA subproblem during order finalization.

I'd be happy to do so if yourself or another contributor can review - however I don't want to commit much time to it, if there's a low chance of the PRs ever getting looked at or released due to the low priority.

Edit: PR: #9258

[alexzorin]

Thanks for opening that. I think if subproblems were merged, then I'd be willing to try get this issue fixed as well.

I'm not 100% sure yet that it's safe to add --allow-subset-of-names support to order finalization, but at least from a priority perspective, I'm onboard.

[JamesBalazs]

@alexzorin I opened a PR with an initial attempt at retry logic here: #9272

I have some questions about checks that we might want to do to ensure a retry is likely to succeed, which specific errors we should bother retrying on etc, which are mentioned in the description of the PR.

There's also a unit test that works locally but fails in CI, so I also have to figure that out 🤔