Will the acme challenge first check the DNS or CAA record before issuing the certificate?


I am trying to understand the steps involved in completing the challenge. If I have added a CAA record in my settings, will the acme challenge check the address first or it will check the CAA record and get rid of the extra steps further ?

Hi @prok_in,

The CAA record can only be used to forbid a CA from issuing certificates for your site. It doesn’t substitute for or bypass the need to perform domain validation to prove that you control the domain name. When you request a certificate from Let’s Encrypt, you’ll need to perform a validation challenge step to prove that you control the domain name—whether or not you have a CAA record.

If you don’t want particular CAs to issue certificates for your site, you can use CAA to list which CAs are permitted to issue. That’s the only purpose or effect of using CAA.

Thank you :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.