You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just checked if letsencrypt.org verifies CAA Records and it seems that it does not respect it. I just got a certificate for a domain that has a CAA record, that does not allow letsencrypt.org to issue a certificate.
The requested domain is asulfrian.userpage.fu-berlin.de and this are the CAA records for fu-berlin.de:
fu-berlin.de. 86400 IN CAA 0 issue "pki.dfn.de"
fu-berlin.de. 86400 IN CAA 0 iodef "mailto:certificate@fu-berlin.de"
There are no CAA records for the sub domains. Reading the relevant section in rfc6844 shows clearly that this records should be the relevant ones. So I should not be able to get this certificate.
The text was updated successfully, but these errors were encountered:
So CAA checking is working but the code that checks it's result for an error doesn't actually do anything useful with it (i.e. making the challenge invalid) meaning that a challenge that fails CAA can still be completed, this is bad.
I just checked if letsencrypt.org verifies CAA Records and it seems that it does not respect it. I just got a certificate for a domain that has a CAA record, that does not allow letsencrypt.org to issue a certificate.
The requested domain is asulfrian.userpage.fu-berlin.de and this are the CAA records for fu-berlin.de:
There are no CAA records for the sub domains. Reading the relevant section in rfc6844 shows clearly that this records should be the relevant ones. So I should not be able to get this certificate.
The text was updated successfully, but these errors were encountered: