Randomly certbot started to fail to automatically renew my TLS certs.
I get the following error in the email:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.scrncheat.com
Type: dns
Detail: During secondary validation: While processing CAA for mail.scrncheat.com: DNS problem: looking up CAA for mail.scrncheat.com: DNSSEC: DNSKEY Missing: validation failure <mail.scrncheat.com. CAA IN>: key for validation mail.scrncheat.com. is marked as invalid because of a previous No DNSKEY record
I’ve run “sudo mailinabox” again and tried to manually reprovision, but get the same error.
Thing is, you shouldn’t have to, because it’s not mandatory. However, as Lets encrypt also notes (see bottom of that page, CAA errors) If the dns server replies incorrectly, you might also receive this. I would expect that cloudflare does not have this issue.
On the other hand, setting the CAA record should not hurt of you don’t do anything complex with https certificates.
I exported, and imported all the details given within MiaB into Cloudflare. The SOA is managed by Cloudflare themselves. I’m not sure what I’ve configured incorrectly.