How to Blacklist domains?


#1

I would like to blacklist some of my owned domains and prevent Let’s Encrypt issuing a certificate for any them. Is this possible?


#2

Just don’t issue a certificate for them. Only someone with access to the website files would be able to verify the domain to get a certificate issued.


#3

Hi, it is possible via CAA DNS Record. This was already disused here.
https://tools.ietf.org/html/rfc6844


#4

Any reason why you want to blacklist Let’s Encrypt specifically?


#5

Thank you. Glad to know LetsEncrypt support this.


#6

They wouldn’t be trusted if they issued certificates without verification. It’s a requirement to be accepted.

Do note that anyone with filesystem access to the websites can authorize a certificate from any certificate authority. That’s been possible for some time now. Make sure you limit access to people you trust and you’ll be fine.


#7

That is wrong most CA will require email verification against the WHOIS Record email.


#8

It depends. COMODO and some other providers also offer DNS-based and HTTP-based validation for DV certificates.


#9

Technically wrong, it is not mandatory for any CA to check for a CAA DNS record before issuing a certificate.


#10

According to the Baseline Requirements in section 3.2.2.4, the CA can confirm ownership by:

  1. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;
  2. Communicating with the Domain’s administrator using an email address created by pre‐pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at‐sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;
  3. Relying upon a Domain Authorization Document;
  4. Having the Applicant demonstrate practical control over the FQDN by making an agreed‐upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN; or
  5. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously describe

Items 3 and 4 cover the e-mail authorization method, item 6 covers the web-root verification method, and item 7 would allow DNS record based verification.


#11

You have clearly misunderstood what I have said. I never stated that DNS record cannot be used to validate ownership if a domain name so that a certificate can be generated.

What I stated was, Issuing Certificate authorities are not required (although they often do) to take notice of a CAA DNS Record. A CAA DNS record specifies which certificate authorities are allowed to generate SSL certificates for that domain name.

If the CA can prove that they have validated ownership of a domain name using one of the permitted methods, they can ignore the CAA DNS Record.


#12

Why should they ignore the CAA record in that case? Doesn’t that make the CAA record useless?


#13

the point is. from a morality and trust standpoint they shouldnt but iirc CAA support is optional meaning that CAs CAN ignore it.