CAA validation error on CNAME lookup with on CAA record

We host subdomains for clients in a Ruby application. The client sets up a subdomain DNS record with a CNAME pointing to our application. We then use LetsEncrypt to issue a certificate from the application (using acme-client ruby gem).

For a single client we get CAA validation failed error on subdomain ‘jobs.dcvc.com’, and find that the main domain ‘dcvc.com’ has CAA records for Comodo and Thawte. Since the subdomain is just a CNAME record for our application domain ‘ns3.monday.vc’, those CAA records should not be affecting the certificate validation if I’m reading the https://letsencrypt.org/docs/caa/ correctly.

I understand it that since ‘jobs.dcvc.com’ is a CNAME, LE validation follows the CNAME redirection and request CAA records from our domain (ns3.monday.vc -> monday.vc) and in finding none, should issue the certificate.

This is the only client with the issue. We issue certificates with client subdomains as SANs without issue for many other clients.

Many thanks.

1 Like

Hi @TimJones

that’s the “Tree climbing”:

The CAA RFC specifies an additional behavior called “tree-climbing” that requires CAs to also check the parent domains of the result of CNAME resolution. This additional behavior was later removed by an erratum, so Let’s Encrypt and other CAs do not implement it.

That’s not used.

But if jobs.dcvc.com is a CNAME, then first ns3.monday.vc is checked. If there is no CAA, next dcvc.com (tree climbing of the original domain) is done. There is a blocking CAA.

So create a CAA with ns3.monday.vc+ letsencrypt.org.

–>> All CNAMES with that destination -> letsencrypt.org is allowed to create certificates.

1 Like

Thanks for the confirmation. I wasn’t expecting the tree-climbing to ‘go back’ to the main domain after a CNAME had been climbed.

I forgot to mention in my message that our ns3.monday.vc is also a CNAME pointing to a Heroku Load Balancer, so we cannot add a CAA record to that domain. If I add one to 'monday.vc` it would not be climbed by the validation rules, correct?

1 Like

Correct. :frowning: Your options are:

  • Get the dcvc.com. CAA records modified,
  • Get Heroku to add CAA records at quiet-yak-vt2ttb2agok6riccmd3nxddj.ssl.herokudns.com., or
  • Find a third option (e.g. stop using Heroku, use some kind of proprietary alias record instead of a CNAME…)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.