Rechecking CAA at issuance time for some authorizations


CAA will become mandatory for all CAs on September 8. Let’s Encrypt has always checked CAA at validation time, but will soon start checking at issuance time in certain situations as well. This is because the upcoming CA/Browser Forum CAA requirements specify that CAA must be checked within 8 hours prior to issuance. Because validations from Let’s Encrypt are usable for up to 30 days, this can mean we sometimes have to recheck.

If an authorization was validated in the last 8 hours, we know that CAA was checked as well, and won’t recheck. This means that things will continue to work as typical for most clients, because most clients authorize and issue at the same time.

For subscribers that reuse authorizations over a period of multiple days, there’s a slightly increased chance that you may receive transient CAA errors during the new-cert request. You can retry these, though as always please be polite; retrying twice a day is generally sufficient if you are renewing well in advance of expiration. The most common scenario where subscribers reuse authorizations over a period of multiple days is when hosting providers consolidate many domain names on a single certificate with many SANs.

If you run into trouble, please read our documentation page about CAA: I’ll post here once the change is deployed to staging, and again when it’s deployed to production.

Internal error getting validation

Rechecking CAA at issuance time is now live for both production and staging.

Consistent 500's for new-cert (failing CAA for one domain)
CAA Records are checked while challenge is created