On February 22nd 2017 CAA’s that issue https certificates are required to check what CAA’s are allowed to issue HTTP’s certificates for a website. To limit who can create HTTP’s certificates for your site all you need to do is specify a number of DNS records.
DNSSEC
Before adding DNS CAA records ensure you have enabled DNSSEC for extra security, this is not needed to setup CAA records but it’s a good idea.
DNSSEC Explained
Read my post here on setting up DNSSEC with Cloudflare here.
Namecheap allows you do set DNSSEC with 1 click (making the above guide not required unless you use Cloudflare).
Testing DNSSEC
First, test DNSSEC on your website here: https://dnssec-analyzer.verisignlabs.com/ (I already have DNSSEC enabled)
I use Namecheap for buying domains and HTTP’s certs (you can buy a new domain here). Namecheap allow you to easily enable DNSSEC and CAA DNS records.
Read Namecheap’s CAA guide here.
Scott Helme tagged a great write up on CAA here.
CAA is probably the best bang for buck you’re going to get! https://t.co/pvThaQ8qFl
— Scott Helme (@Scott_Helme) March 14, 2019
Testing CAA (on your website)
Go to https://dev.ssllabs.com/ssltest/ and scan your website
You will see if CAA is enabled after the https test is complete (scroll past the rating)
In my case CAA records were not detected.
Adding DNS CAA records at Namecheap
I logged into Namecheap, clicked Manage domain and clicked the Advanced DNS tab
I click Add New Record (DNS), then I selected CAAHere are records for my main domain (allowing Comodo/Sectigo HTTP’s certificates only)
Type, Host, Value, TTL
CAA Record @ 0 issue "comodoca.com" Automatic
CAA Record @ 0 issue "comodo.com" Automatic
CAA Record @ 0 issue "usertrust.com" Automatic
CAA Record @ 0 issue "trust-provider.com" Automatic
CAA Record @ 0 issue "sectigo.com" Automatic
Here is my record allowing a sub domain (allowing Lets Encrypt HTTP’s certificates only)
Type, Host, Value, TTL
CAA Record audit.fearby.com 0 issue "letsencrypt.org" Automatic
It is also possible to setup email alerts of CAA violations where CAA’s support it. I setup a [email protected] email alias.
Type, Host, Value, TTL
CAA Record audit.fearby.com 0 iodef "mailto:[email protected]" Automatic
CAA Record@ 0 iodef "mailto:[email protected]" Automatic
Image of my final Namecheap DNS config.
Test CAA Records
I visited https://dev.ssllabs.com/ssltest/ and performed a final scan.
Pass 🙂
I do have real time remote server monitoring reporting on https presence and uptime, read the post here.
Plug(s)
- Buy a VM, get $25 credit (blog post)
- Buy a Domain from Namecheap
- Setup GSuite Email for your domain
- Setup a WordPress CDN or Image Resizing
- Setup Realtime Server Monitoring
Warning
I had an issue where I failed to update my DNS (and define a CAA record) for the sub domain used for Nixstat reporting. I was receiving this error.
dev.ssllabs.com was reporting the cert expired?
The awesome chat support (Vincent) over at Nixstats found out it was because I did not have CAA record for the sub domain allowing “letsencrypt.org” to generate certs.
If you manually renew a Lets Encrypt cert with the following command without a CAA record you will see an error
> certbot -q renew
Error Output
Attempting to renew cert (subdomain.fearby.com) from /etc/letsencrypt/renewal/
subdomain.fearby.com.conf produced an unexpected error: Failed authorization procedure.
subdomain.fearby.com (http-01): urn:acme:error:caa :: CAA record for
subdomain.fearby.com prevents issuance. Skipping.
All renewal attempts failed.
DNS additions and changes take a while to propagate so monitor Whats My DNS for change status
Thanks for reading.
For simplicity I have removed all sub domain CAA settings for records and only set global ones
Revision History
v1.2 Troubleshooting
v1.1 Plugs
v1.0 initial Post