CAA record for et prevents issuance

alexm · November 13, 2023, 9:44pm

Hi,

we own the domains page.et and suk.et, purchased at Ethio Telecom, with DNS hosting managed at Cloudflare and successfully got a letsencrypt wildcard certificate.

Now the renewal fails:

certbot certificates

  Certificate Name: page.et
    Serial Number: xxxxxxxxxxxxx
    Key Type: RSA
    Domains: *.page.et *.suk.et page.et suk.et
    Expiry Date: 2023-12-03 07:09:59+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/page.et/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/page.et/privkey.pem

certbot renew
...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/page.et.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for *.page.et and 3 more domains
Waiting 10 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-cloudflare). The Certificate Authority reported these problems:
  Domain: page.et
  Type:   caa
  Detail: CAA record for et prevents issuance

  Domain: suk.et
  Type:   caa
  Detail: CAA record for et prevents issuance

Does that mean that the TLD .et (i.e. Ethio telecom) is blocking us from getting Letsencrypt certificates?

Or is there something we can do about this?

PS: I saw Renewal failures - "CAA prevents issuance" with unchanged CAA but in that error message a second level domain is mentioned, not a TLD.

PS: Ethiotelecom is selling both, second level domains, but also third level domains (under .comt.et, .net.et) an such. Second level domains became available since not so long ago (something between 9-12 years ago, I guess). Maybe that's related?

Regards,

Alex

mcpherrinm · November 13, 2023, 9:50pm

Yes, it seems that the .et TLD has CAA blocking wildcard issuance by Let's Encrypt:

;; QUESTION SECTION:
;et.	IN	 CAA

;; ANSWER SECTION:
et.	0	IN	CAA	0 issue "letsencrypt.org"
et.	0	IN	CAA	0 issue "gandi.net"
et.	0	IN	CAA	0 issue "digicert.com "
et.	0	IN	CAA	0 issue "sectigo.com"
et.	0	IN	CAA	0 issue "entrust.net"
et.	0	IN	CAA	0 issuewild "digicert.com "
et.	0	IN	CAA	0 issuewild "sectigo.com"

For wildcard certificates, that allows digicert and sectigo only.

Because CAA records are searched bottom-up, you can add a more specific issuewild CAA record that allows issuance.

I do think you should consider complaining to the TLD operator, though, as this is certainly a unique choice.

petercooperjr · November 13, 2023, 9:50pm

Uh, yes. The CAA record for .et allows several CAs (including Let's Encrypt) for non-wildcard, but only Sectigo & Digicert for wildcard. Very, very weird for there to be a CAA record on a TLD, and is likely the first time that has happened.

You should be able to set a CAA record for the names you control directly, at page.et and such, for the CAs which you want to use.

alexm · November 13, 2023, 9:56pm

Yes, that worked like a charm, thank you. I am also trying to report this to Ethio Telecom.

mcpherrinm · November 13, 2023, 10:21pm

I did a quick scan of all the TLDs in https://data.iana.org/TLD/tlds-alpha-by-domain.txt and confirmed none of the other TLDs have CAA records.

If anyone else cares, the script is here: GitHub - mcpherrinm/caa-tld-check: Check which TLDs have CAA records

petercooperjr · November 13, 2023, 10:24pm

There's an article published by APNIC that says as of May 2023 no TLD had one set. That's part of why I said this was probably the first. While I could imagine a TLD that legitimately had one (like the actually-owned-by-a-company TLDs of .google and .apple and such), I really wouldn't expect a country code TLD to have one.

system · December 13, 2023, 10:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.