My website is hosted by Google’s Firebase Hosting. Google provision a certificate from Let’s Encrypt. The certificate is shared between many websites. My domain is one of about a 100 Subject Alternative Names on the certificate, I don’t own the rest.
What would happen if I changed the CAA record for my domain to forbid Let’s Encrypt from issuing certificates? Assuming CAA records are respected for Subject Alternative Names, I understand any request to renew the certificate would be refused. Would it take down the other websites? Would Google react and provision a certificate for the other domains excluding mine?
That's an interesting question! I think ultimately only Google/Firebase will be in a position to answer definitively.
From the perspective of the CA if you added a CAA record that forbade issuance by Let's Encrypt then it would appear as a distinct, but similar failure type to any authorization failure (e.g. if the HTTP-01 or TLS-SNI-01 or DNS-01 challenge response was invalid). I suspect a well designed integration like Google/Firebase likely have already has a mechanism in place to handle the case where 1 of the <100 SAN domains they are trying to issue for fails validation, and could handle it accordingly.
I don't know for sure! You could always ask your support rep