What CAA records should use for Let's Encrypt?

What CAA records should use for Let’s Encrypt for my provider?

I want to cover under Let’s Encrypt my domain example.com and all subdomains *.example.com

For generate CAA record I’ve used https://sslmate.com/caa/ but haven’t experience in current options

As I understand I need choose Empty Policy and wildcard-checkbox, which generate that

0 issue “;”
0 issuewild “letsencrypt.org

Could you verify me? What is strange record with ; value?

Thank you

1 Like

Hi @ravecat

that blocks all.

0 issue “letsencrypt.org

is the typical definition.

That allows Letsencrypt to create non-wildcard and wildcard-certificates.

If you don’t want to allow wildcards, add

0 issuewild “;”

PS: If you want that

you must allow both, *.example.com + example.com.

PPS: That’s only required if you want to create a wildcard certificate. If you create a certificate with a lot of subdomains, that’s not a wildcard certificate.

1 Like

not really, CAA checks parent domains: a CAA record on example.com applies to its subdomains.

(It doesn’t check parent domains through cname, though) https://letsencrypt.org/docs/caa/

The CAA RFC specifies an additional behavior called “tree-climbing” that requires CAs to also check the parent domains of the result of CNAME resolution. This additional behavior was later removed by an erratum, so Let’s Encrypt and other CAs do not implement it.

1 Like

So as I understand record 0 issue “letsencrypt.org is enough?

He must.

allows only *.example.com, not example.com. But a certificate with *.example.com doesn’t work with example.com.

The Tree climbing is another problem.

1 Like

And what record should me use for root and all subdomain? Probably my current issues depends on my wrong record

1 Like

Yeah, hadn’t noticed this. Unusual to have issuewild more permissive than issue. :smiley:

1 Like

Yes. If no issuewild is defined, the issue includes the issuewild. See my CAA - https://check-your-website.server-daten.de/?q=server-daten.de#caa

5 issue letsencrypt.org; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/5532373

5 issue letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/35657966

allows to create a wildcard certificate with *.server-daten.de + server-daten.de.

But it doesn’t work with SSLMate.

1 Like