Approve Let's Encrypt certs

Is there any method for approving a Let's Encrypt cert? Creating a CAA record to allow to issue certs, kind of defeats the purpose of a CAA record.

Is it possible to register a domain/sub domain with where a cert will not be issued without approval?

I don't quite follow. Why would creating a CAA record defeat the purpose of a CAA record?


I don't quite follow the question either.

A cert is only issued by request of an ACME Client and only when control of the domain name requested is proved. So, are you concerned someone else could gain control of your DNS and/or server?

That said, there was an enhancement to the CAA options recently. You can now further restrict cert issuance by method and account.


Just spit balling here. But could you effectively disallow all public certs for your domain by adding a CAA record to your root domain for a non-existent CA and then add additional CAA records on sub-domains as appropriate for "approved" certs?


Our marketing team uses Squarespace for blog sites. Squarespace issues certs for those through Let's Encrypt. Squarespace requires verify CName record to validate domain control, I imagine they pass this on to Let's Encrypt when requesting the cert. All good there.

If I create a CAA record allowing, I'm not just allowing or approving a single cert, I'm allowing any cert request through Let's Encrypt. And, with this, I'm giving up trust for a domain that I manage to Squarespace and Let's Encrypt.

Compare this to Digicert. I have a CAA record for Digicert, someone else tries to request a cert and that request will come to me. So i can allow a blog / hosting service to issue the cert with automation and still maintain control.

An empty CAA RR (just a ;) would be enough for that, no need for non-existing CAs.

Should work indeed. According to RFC 8659 the search for the valid CAA RR works from bottom to top and when a CAA RR is encountered, that CAA RR is returned, ignoring the CAA RR further "up" the tree.


You can restrict a set of Let's Encrypt accounts that are allowed to issue in your CAA records.

We implement RFC 8657 for this:

An example record from the RFC: IN CAA 0 issue "; \
  accounturi=; \

Note that if you have a CAA record for a subdomain, that takes precedence over the CAA record at higher levels. Also note that CAA record lookups for a domain follows CNAMEs, so in combination: if you have a subdomain CNAME'd elsewhere, your top-level CAA record would not restrict issuance if the CNAME destination has a CAA record.


Isn't that how it always is?
[what am I missing?]


Whomever controls DNS, controls the certs for that zone
[CAA is nothing more than a DNS entry]

Whomever controls an FQDN, controls certs for that FQDN [and only that FQDN].
[be it via allowed DNS or via HTTP(S)]
A CNAME delegated FQDN inherently limits the delegated control to that FQDN [only].

Where is the overreach/lack of control?


I wonder if DigiCert still uses email validation tokens that have to be manually applied for issuance.


I guess you want only allow LE to issue certificates to, but not other domains under

If my guess is correct, you can create a CAA record to disallow LE, and create a CAA record to allow LE, except if is a CNAME record (see below).

If I read your reply correctly, is is a CNAME record? If yes, then you will be in a dead end, and you will have no choice. It is because CNAME record doesn't mix with most other DNS records (as per RFC1912, Section 2.4, save a few exceptions explicitly allowed in another RFC), so you cannot set CAA record along with a CNAME record.

I guess this issue may be a overlook in RFC. Is it possible to clarify this in IETF?

1 Like

No, but as mcpherrinm noted in post #7, you put the CAA record in the destination location of the CNAME. You have delegated responsibility for the cert issuance by using the CNAME so that party needs to set the records to allow the issuance (if you have blocked issuance at a higher level).

What hasn't been said yet is that once you CNAME to someone elses domain they could issue a cert for that name with any Certificate Authority. The original question asked how to have Let's Encrypt alert about cert issuance but there is no reason that squarespace has to use just LE. They could use any ACME compliant CA once they have been given control of a domain name.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.