CAA records not verified

[AlexanderS]

I just checked if letsencrypt.org verifies CAA Records and it seems that it does not respect it. I just got a certificate for a domain that has a CAA record, that does not allow letsencrypt.org to issue a certificate.

The requested domain is asulfrian.userpage.fu-berlin.de and this are the CAA records for fu-berlin.de:

fu-berlin.de.       86400   IN  CAA 0 issue "pki.dfn.de"
fu-berlin.de.       86400   IN  CAA 0 iodef "mailto:certificate@fu-berlin.de"

There are no CAA records for the sub domains. Reading the relevant section in rfc6844 shows clearly that this records should be the relevant ones. So I should not be able to get this certificate.

[jsha]

@rolandshoemaker, can you take a look at this?

[rolandshoemaker]

So CAA checking is working but the code that checks it's result for an error doesn't actually do anything useful with it (i.e. making the challenge invalid) meaning that a challenge that fails CAA can still be completed, this is bad.

[rolandshoemaker]

Further inspection shows that validateChallengeAndCAA attempts to mutate the challenge passed to it by value, failing to actually change the status.

[jsha]

Thanks for reporting! This is fixed and deployed to production. We publicly disclosed the issue here: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/_HqrifRcSYs.