On Wednesday May 30th
(later this afternoon) (the change is live as of 16:44 UTC) we will enable support for the
validationmethods restriction from the ACME-CAA draft standard in staging. This standard will allow you to restrict which ACME challenge types (
http-01) can be used to validate your domains via a
validationmethods CAA record extension. If you’re interested, we encourage you to test this feature with your domains in preparation for a production launch. We look forward to your feedback! If you’re not interested, you don’t need to do anything.
To use this new feature, add the
validationmethods extension to your CAA record’s
To allow only DNS-01 issuance update the CAA record value to:
issue "letsencrypt.org; validationmethods=dns-01"
To allow only HTTP-01 issuance (note this will preclude wildcard issuance which requires
DNS-01) update the CAA record value to:
issue "letsencrypt.org; validationmethods=http-01"
Subdomains can override the CAA policy set by parent domains. Please see our CAA documentation for more information about CAA. You may also find the SSLMate CAA Record Generator useful. Keep in mind that validation-methods is currently only a draft, and is not honored by other CAs.
Edit: Updated to reflect that the change did not go live as planned yesterday and will instead be enabled in staging today. Apologies for the delay.
Edit 2: Updated to reflect that this is now live in staging as of ~16:44 UTC
Edit 3: Updated to reflect ACME-CAA draft-05 removing the dash (
-) character in the