Re: Enabling ACME CAA Account and Method Binding

petercooperjr · December 16, 2022, 9:39pm

The ones that are both changing validation methods or account URI, while at the same time adding conflicting CAA restrictions by validation method or account URI? I'm not seeing why that would happen that often.

rg305 · December 16, 2022, 9:57pm

Account restrictions are done at the DNS/domain level.
That simple little change could affect ALL users - which might not all be using the same LE account.
Which in the case of laaaarge users, might be thousands of systems.

MikeMcQ · December 17, 2022, 2:45pm

I admit to not understanding all the nuances of the cached auth. But, in practical terms, wouldn't someone be affected if:

Requesting first wildcard cert after getting non-wildcard with HTTP challenge
Request within 30 days of last cert
Use new CAA format for validation method

I believe this is just re-framing Aaron's specs from technical to situational. And, if accurate, shows a fairly simple change (to wildcard) could fail for no apparent reason.

aarongable · December 17, 2022, 3:42pm

It's a good thought, but no, that failure mode is not possible. When requesting a wildcard cert, we know that DNS-01 is the only acceptable validation method ahead of time. If there are any cached validations which used other methods, those are not deemed acceptable and are not attached to the new order. So switching from non-wildcard to wildcard can't trigger this failure mode.

orangepizza · December 18, 2022, 4:10am

just *.acme.com wouldn't cause it, but isn't cert order with base domain and wildcard of that domain will hit by this edge? sni: dns: acme.com, dns: *.acme.com adding base domain itself to wildcard certificate is standard process as wildcard doesn't cover base domain itself.

petercooperjr · December 18, 2022, 7:27pm

I think generally, the people updating the CAA record would be doing do in order to try to break the integrations that aren't using the approved, central LE account. Like in this thread from a couple years ago, where the owners of the domain were trying to figure out how to stop the users that hosted subdomains from doing their own HTTP-01 challenge instead of going through the central system.

system · January 17, 2023, 7:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PROD Support for RFC8657 CAA constraints for accountURI and validationmethods Feature Requests	23	2314	August 22, 2022
CAA record prevents issuance Help	59	559	December 3, 2024
CAA record suddenly failing for wildcard certificates Help	6	1472	February 28, 2023
Certbot 2.7.2 / error for CAA Help	96	1706	December 4, 2023
Different CAAs returned from two DNS servers Feature Requests	24	293	March 19, 2025

Re: Enabling ACME CAA Account and Method Binding

Related topics