What CAA records should use for Let's Encrypt?

ravecat · March 16, 2020, 10:06pm

What CAA records should use for Let’s Encrypt for my provider?

I want to cover under Let’s Encrypt my domain example.com and all subdomains *.example.com

For generate CAA record I’ve used https://sslmate.com/caa/ but haven’t experience in current options

As I understand I need choose Empty Policy and wildcard-checkbox, which generate that

0 issue “;”
0 issuewild “letsencrypt.org”

Could you verify me? What is strange record with ; value?

Thank you

JuergenAuer · March 16, 2020, 10:11pm

Hi @ravecat

that blocks all.

0 issue "letsencrypt.org"

is the typical definition.

That allows Letsencrypt to create non-wildcard and wildcard-certificates.

If you don't want to allow wildcards, add

0 issuewild ";"

PS: If you want that

you must allow both, *.example.com + example.com.

PPS: That's only required if you want to create a wildcard certificate. If you create a certificate with a lot of subdomains, that's not a wildcard certificate.

9peppe · March 16, 2020, 10:21pm

not really, CAA checks parent domains: a CAA record on example.com applies to its subdomains.

(It doesn't check parent domains through cname, though) Certificate Authority Authorization (CAA) - Let's Encrypt

The CAA RFC specifies an additional behavior called “tree-climbing” that requires CAs to also check the parent domains of the result of CNAME resolution. This additional behavior was later removed by an erratum, so Let’s Encrypt and other CAs do not implement it.

ravecat · March 16, 2020, 10:25pm

So as I understand record 0 issue "letsencrypt.org" is enough?

JuergenAuer · March 16, 2020, 10:25pm

He must.

allows only *.example.com, not example.com. But a certificate with *.example.com doesn't work with example.com.

The Tree climbing is another problem.

ravecat · March 16, 2020, 10:27pm

And what record should me use for root and all subdomain? Probably my current issues depends on my wrong record

9peppe · March 16, 2020, 10:28pm

Yeah, hadn't noticed this. Unusual to have issuewild more permissive than issue.

JuergenAuer · March 16, 2020, 10:28pm

Yes. If no issuewild is defined, the issue includes the issuewild. See my CAA - https://check-your-website.server-daten.de/?q=server-daten.de#caa

5 issue letsencrypt.org; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/5532373

5 issue letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/35657966

allows to create a wildcard certificate with *.server-daten.de + server-daten.de.

But it doesn't work with SSLMate.

system · April 15, 2020, 10:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CAA Question - issue / issuewild Issuance Policy	9	1412	October 22, 2023
CAA & CNAME along with external service Help	10	2056	May 20, 2021
Wildcard cert. Should I add to my DNS: @ 3600 IN CAA 0 issuewild "letsencrypt.org"? Help	11	1556	February 2, 2023
CAA & certificate issuance problem with a previously working setup Help	5	613	July 6, 2024
DNS CAA for Let's Encrypt Help	5	1705	May 29, 2021

What CAA records should use for Let's Encrypt?

Related topics