Block letsencrypt in my domain

Hi

I do not want developers to get certificates for my domain without going through an internal process, but I believe that they are using the http-01 challenge, which as they control the site, I am not able to prevent.

Is there any way that I can disable letsencrypt from creating certificates, or have them revoked?

1 Like

Sure, you can block any CA from issuing certificates with a DNS CAA record on your domain, e.g.

example.com.	IN	CAA	0 issue ";"

Or if you want to allow certificates from some CAs other than Let's Encrypt, you can limit it to just those, e.g.

example.com.	IN	CAA	0 issue "amazon.com"

Check out CAA Record Generator.

5 Likes

One extra note: If you use a CNAME record, then the destination controls CAA checks, so you’ll need to account for that in order to fully control issuance.

For example, if host.example.com is a CNAME pointing to service.contoso.com, then it is the CAA records (or lack thereof) for service.contoso.com and (if missing) contoso.com that will control issuance for host.example.com.

5 Likes

There's also quite a bit in the official documentation:

But using CAA records will only work if "you" (meaning the people trying to restrict this) have DNS access but the "developers" don't.

In theory, if you control DNS, you should be able to use Certificate Transparency to find all certificates issued for your domain, and then use the ACME protocol (under your own account) to validate ownership of the domain names involved and then issue a revocation request. But I don't know offhand of any ACME client that makes that whole process easy. You might also be able to involve the Let's Encrypt humans by emailing cert-prob-reports@letsencrypt.org and somehow proving ownership of the name to them, but in general using the automated ACME interface would be preferable.

3 Likes

But, the process of using Certbot to revoke a certificate issued by another ACME account is in fact documented on Let's Encrypt's web site:

Basically you use certbot to start issuing a certificate for the domain(s) you want to revoke, but also include another nonexistent name so that a real certificate won't be issued. Then put the DNS entries into your DNS to prove you own them, and have certbot start going through the process. It won't validate the nonexistent name, of course, but should validate the other ones. Then, since you have the authorizations cached on your account, you should be able to issue the revoke command for the certificates that you downloaded from Certificate Transparency.

So not easy by any means (and there could probably be a lot more detail added to that documentation, too), but at least it's an "official" way to revoke certificates issued for your domain that shouldn't have been issued.

But one of the advantages of the relatively-short lifetimes of Let's Encrypt certificates is that you can just wait for a few months after adding the CAA record and the existing certificates will all have expired. So not bothering to revoke (assuming that the private keys are in fact safe) is probably "good enough" for many circumstances.

2 Likes