Make use of "caa-identities" metadata

[zjs]

If the ACME server exposes a "caa-identities" key in its /directory response's "meta" key, Certbot should expose that to users so that they know what string to use if they wish to configure CAA.

Additionally, if the ACME servers exposes such a key, Certbot could attempt to verify the domain does not have a conflicting CAA record prior to trying to obtain a certificate (to fail fast with a helpful error message).

See also:

• Add caaIdentities entry to /directory endpoint's meta entry letsencrypt/boulder#2811
• CAA record for <my_domain> prevents issuance #4827

[pde]

This would be a good volunteer task if the core team specified what the mechanism of exposure was?

[stale]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no further activity, this issue will be automatically closed.

[mnordhoff]

Still relevant, bot.

[cpu]

If the ACME server exposes a "caa-identities" key in its /directory response's "meta" key, Certbot should expose that to users so that they know what string to use if they wish to configure CAA.

One update: per RFC 8555 Section 7.1.1 this is now the "caaIdentities" key. All of the hyphenated directory keys were changed to camel case at some point during the standardization process.

[stale]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

[stale]

This issue has been closed due to lack of activity, but if you think it should be reopened, please open a new issue with a link to this one and we'll take a look.

[osirisinferi]

Probably still a good idea, inadvertably closed by stalebot.

[github-actions]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

[hablutzel1]

In addition, certbot could provide a hook (or something like that) to automatically update the DNS CAA records for the specific domains covered by the ACME order.