CAA records and Subject Alternative Names

My website is hosted by Google’s Firebase Hosting. Google provision a certificate from Let’s Encrypt. The certificate is shared between many websites. My domain is one of about a 100 Subject Alternative Names on the certificate, I don’t own the rest.

What would happen if I changed the CAA record for my domain to forbid Let’s Encrypt from issuing certificates? Assuming CAA records are respected for Subject Alternative Names, I understand any request to renew the certificate would be refused. Would it take down the other websites? Would Google react and provision a certificate for the other domains excluding mine?

Once domain ownership is verified we will provision an SSL certificate for your domain and deploy it across our global CDN. This process can take several hours.

Domains will be listed as Subject Alternative Names in the FirebaseApp SSL certificate.

Hi @mattme,

That's an interesting question! I think ultimately only Google/Firebase will be in a position to answer definitively.

From the perspective of the CA if you added a CAA record that forbade issuance by Let's Encrypt then it would appear as a distinct, but similar failure type to any authorization failure (e.g. if the HTTP-01 or TLS-SNI-01 or DNS-01 challenge response was invalid). I suspect a well designed integration like Google/Firebase likely have already has a mechanism in place to handle the case where 1 of the <100 SAN domains they are trying to issue for fails validation, and could handle it accordingly.

I don't know for sure! You could always ask your support rep :slight_smile:

You would not be able to get certificates issued if CAA does not allow for Let’s Encrypt certificates

Good may not deal with the failures gracefully. It all depends on how they write their clients


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.