DNS CAA for Let's Encrypt

I set up a Let's Encrypt certificate earlier today and later added the www. subdomain to the certificate. Now, I would like to add a DNS record for CAA. However, I'm a bit confused as to how to do that.

I tried going through the steps here: CAA Record Generator

But, I'm not sure if I'm using a "Wildcard" certificate or not. Also, do I need to add a DNS entry for www.videochums.com. separately?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):
Apache 2
The operating system my web server runs on is (include version):
Debian 10
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.14.0

1 Like

It doesn't look like a wildcard cert has even been issued.
So I would think not.

No, one entry can cover the entire domain (to include all subdomains).

2 Likes

A "wildcard" is the word for a thing that counts as though it were anything else. For example some card games leave the Jokers in the deck and then "Jokers wild" means if you needed say, a 4 of hearts, but you have a Joker that's good enough.

Certificates in the Web PKI (the ones you want for a web server) list one or more names, they say this issuer (for you Let's Encrypt) promises that it issued this certificate to somebody who controlled these names. For Let's Encrypt these names must be DNS names, like letsencrypt.org or webmail.example.com but you can use the asterisk symbol at the start as a wildcard, to match exactly one label in the name. A "label" is the part between dots. So *.example.com is an acceptable as a name for a certificate for www.example.com or webmail.example.com or cheese-and-crackers.example.com but it won't do for www.texas.example.com (matching two labels) or example.com (matching zero labels)

Most people won't need wildcard certificates, if you're not sure you probably don't have or need one. Let's Encrypt has different rules about what you need to do to get one, and it is (marginally) less safe to have wildcards, so you needn't worry about this unless what I said above feels like a thing you need.

But if you're really unsure, it's fine to just check both boxes. What the boxes do is they tell the CA you tick "You are allowed to issue these certificates". They don't actually cause any certificates to be issued. They're on the honour system, but we trust these outfits to issue certificates, so on the whole they are very honourable people, like us all they make mistakes and the CAA system makes it harder to make mistakes. So if you pick "Wildcard" and "Not Wildcard" for Let's Encrypt, even if you never use wildcards it doesn't cause any real harm.

2 Likes

One should also note that normal CAA records take priority, if no CAA wildcard records are present.

That means you never need CAA wildcard records, unless you want different behavior (e.g more restrictions) for non-wildcard vs wildcard. If you just want to control issuance in general, a normal record is sufficient.

1 Like

Thanks! Added the record and it looks like it works.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.