.sr tld CA issues

It appears that there is a problem with getting a CA from letsencrypt for a .SR domain. This problem has been
mentioned before. Are there any updates for a solution?
I am looking into this and have contacts with the registrar to hopefully get this resolved.
What is the cause of the problem?
Is this issue specific to letsencrypt?

Well, there's a bug with the TLD's DNS servers. When you ask them for CAA records, instead of saying "there aren't any," they don't respond. :slightly_frowning_face:

No and yes. CAs are all required to implement CAA. Under the circumstances, CAs are allowed to ignore the failure and treat it as permission to issue; Let's Encrypt has a simple and strict implementation that, well, doesn't.

Good question! I don't know.

As of August or September, the TLD's DNS vendor was working on it.

If your domain's DNS provider supports it, create CAA records (that allow letsencrypt.org to issue). If your domain has CAA records, the TLD's CAA records -- or errors -- don't come into play.


Background:

Incomplete list of .sr certificates issued by Let's Encrypt and some other CAs:

https://crt.sh/?q=%25.sr

(The list of Let's Encrypt certificates is complete. But for some CAs, it's not complete.)

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.