I have a domain I manage through Cloudflare (for DNS and cert transparency). I am receiving these notices:
Cloudflare has observed issuance of the following certificate for xxx or one of its subdomains:
Log date: 2022-03-28 02:30:51 UTC
Issuer: CN=R3,O=Let's Encrypt,C=US
Validity: 2022-03-28 01:30:51 UTC - 2022-06-26 01:30:50 UTC
Yet for that same domain here's the CAA record:
O issue cloudflare.com
Is there any valid reason why Let's Encrypt would be issuing certs for that domain?
The CAA record may have been different at the moment of validation. Since Cloudflare is your DNS provider, they may have automatically changed it in order to support their own automatic certificate issuance, which does sometimes use Let’s Encrypt.
I believe this is related to their recently introduced "backup certificate" feature: https://blog.cloudflare.com/introducing-backup-certificates/
Has the SOA record number changed?
If you check your domains CAA records with dig you will find more than you enter.
Cloudflare automatically adds additional entries which are invisible to the control panel.
Thanks all for the responses, I didn't connect the dots with the Cloudflare backup cert announcement. And indeed when I look at CAA records from the CLI:
host -t CAA xxx
xxx has CAA record 0 issue "cloudflare.com"
xxx has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes"
xxx has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes"
xxx has CAA record 0 issue "comodoca.com"
xxx has CAA record 0 issue "letsencrypt.org"
xxx has CAA record 0 issuewild "comodoca.com"
xxx has CAA record 0 issuewild "letsencrypt.org"
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.