New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate Authority Authorization to secure certificate delivery #3083
Milestone
Comments
Be careful with this and make sure all places that could issue certificates are covered. i.e. repo.jenkins-ci.org (not sure if any others don't use let's encrypt) |
smerle33
modified the milestones:
infra-team-sync-2022-08-02,
infra-team-sync-2022-08-09
Aug 2, 2022
As per https://sslmate.com/caa/ + https://www.certificate-transparency.org/:
The CAA records to be created (with a minimal TTL): | Name | Type | Value |
|--------------------|--------|-----------------------------|
| jenkins.io. | CAA | 0 issue "amazon.com" |
| | | 0 issue "globalsign.com" |
| | | 0 issue "letsencrypt.org" |
| | | 0 issue "godaddy.com" |
| ------------- | ------ | --------------------------- |
| jenkins-ci.org. | CAA | 0 issue "amazon.com" |
| | | 0 issue "globalsign.com" |
| | | 0 issue "letsencrypt.org" |
| | | 0 issue "godaddy.com" |
| ------------- | ------ | --------------------------- |
| jenkinsistheway.io | CAA | 0 issue "amazon.com" |
| | | 0 issue "globalsign.com" |
| | | 0 issue "letsencrypt.org" |
| | | 0 issue "godaddy.com" | |
Ping @Wadeck @daniel-beck @MarkEWaite @timja does it looks good to you? |
Not enough DNS expert to reply :) |
Done: ✔ All looks good
---
0 issue "amazon.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
0 issue "godaddy.com" ✔ All looks good
---
0 issue "amazon.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
0 issue "godaddy.com" ✔ All looks good
---
0 issue "amazon.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
0 issue "godaddy.com" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Service(s)
Other
Summary
In order to add security to certificate delivery we should ensure that we got a domain CAA record as per https://letsencrypt.org/docs/caa/
Reproduction steps
https://caatest.co.uk/jenkins.io
The text was updated successfully, but these errors were encountered: