CAA records will be added after enforcing HTTPS for GitHub Pages

[DevDengChao]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/pages/getting-started-with-github-pages/securing-your-github-pages-site-with-https

What part(s) of the article would you like to see updated?

The Enforcing HTTPS for your github pages site dosen't mentioned it will automatically add some CAA records for your custom domain.
I thought it was just redirecting requests from port 80 to 443.

This makes it hard to debugging when requesting certificates from other CA ( Try search out 'Verify error:CAA record for XXX prevents issuance' ).

Additional information

The story:
I built a website over GitHub Pages, gave it a custom domain and enabled the 'Enforcing HTTPS' function before.
Then today my cloud service provider notified me that the SSL certificate I used is nearly expired.
So I started requesting new certificates from Let's encrypt with some wildcard subdomains, which covered the one I gave to the GitHub Pages site.
And then acme client keeps telling me 'Verify error:CAA record for XXX prevents issuance' when renewing certificate.
Finally I remembered that site was hosting on GitHub and it enabled Enforcing HTTPS there.
After I disabled the Enforcing HTTPS function, and verified it with dig CAA xxxx, then the certification renew progress continues.

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[cmwilson21]

@DevDengChao Thanks so much for opening an issue and providing all the details! I'll triage this for the team to take a look 👀

[DevDengChao]

@cmwilson21 Any update ?

[cmwilson21]

@DevDengChao Thanks for checking in! This is up on the board and waiting for a writer's review. Someone will have eyes on it soon 👀

[DevDengChao]

I'm researching on this again today as my cert is nearly expired these days.
Still cannot renew a certification with acme.sh except disabling the custom domain DNS record.

What I tried:

1. Disabled the "Enforce HTTPS" function in Pages. Then the site is available via both HTTP and HTTPS, but Let's Encrypt still cannot issue a certification as it thought the CAA record for *.xxx.dengchao.fun is preventing issuance.
2. Add CAA record with value 0 issue letsencrypt.org for @.dengchao.fun not works
3. Add CAA record with value 0 issue letsencrypt.org for *.dengchao.fun not works
4. Add CAA record with value 0 issue letsencrypt.org for *.xxx.dengchao.fun not works
5. Add CAA record with value 0 issuewild letsencrypt.org for *.xxx.dengchao.fun not works
6. Disabled CNAME record for xxx.dengchao.fun to xxx.github.io, then it works, let's encrypt is able to give me a new certification.

I have to hosting my site somewhere else before (GitHub solved this problem || I figure out what's going wrong with the CAA records).

[DevDengChao]

@cmwilson21 Help, I have to add subdomains one by one in the certification renew request now, if you could remove the unexpected CAA records or add one more 0 issuewild letsencrypt.org will help me a lot.

[jeanp1209]

Jp[Touchez un extrait pour le coller dans la zone de texte.](https://gboard.app.goo.gl/eRn6x)

[cmwilson21]

@DevDengChao - Thanks for reaching out and providing extra information and the steps you have taken.

A majority of our team are out for the holidays, so this may not get reviewed until their return. If you are needing immediate help, please reach out to our amazing support team. 💛