While migrating my blog to use S3 and CloudFormation, I needed to generate a new certificate using the AWS Certificate Manager. However, even after creating the correct DNS records and waiting for them to propagate, AWS was not accepting my generation request without providing any reason.
After spending a lot of time trying to understand what was happening, I discovered that the validation was failing because I had not allowed Amazon’s Certificate Authority to issue an SSL certificate for my domain name, which should have been done by adding a CAA (Certification Authority Authorisation) DNS record.
What is the CAA Field Used For?#
CAA DNS entries allow specifying which Certificate Authorities are allowed to generate certificates for a given domain. It aims to help preventing certificates mis-issues.
CAA Configuration#
Let’s look at a basic example. The following is an extract of the output from the command dig CAA ixonae.com
ixonae.com. 16 IN CAA 0 issuewild "letsencrypt.org"
ixonae.com. 16 IN CAA 0 iodef "mailto:[redacted to prevent crawling]@ixonae.com"
ixonae.com. 16 IN CAA 0 issue "amazon.com"
ixonae.com. 16 IN CAA 0 issue "letsencrypt.org"
The response says that both Amazon and Let’s Encrypt can generate certificates for the domain ixonae.com.
and its subdomains, but only Let’s Encrypt can generate wildcard certificates. In the event that a Certificate
Authority receives an invalid request to generate a certificate, it should send a message to the specified email address. The
0 value is a flag (issue, issuewild and iodef are tags) telling CAs that they shouldn’t mind if they don’t understand
a CAA entry, and just try to read the next one.
Flags#
There are two possible flag values:
0(uncritical) is the default. If a CA doesn’t understand an entry, it can simply ignore it1(critical) tells the CA that it cannot proceed with issuing the certificate if it doesn’t understand the property, and it must notify the owner of the failure (using theiodefprovided values)
CAA Scope#
In our example, all entries have been defined for ixonae.com, but we can also define entries for specific domains
such as www.ixonae.com or test.www.ixonae.com.
The rules priority will be from the most to the less specific. i.e. if we want to generate a certificate for
test.subdomain.domain.com, CAs will first try to see if any rules exist for test.subdomain.domain.com. If not,
they will check if there are any for subdomain.domain.com and then finally for domain.com.
Another thing to note is that if you have only issue entries, then listed CAs are also allowed to issue wildcard
certificates. However, if you have issuewild entries, then only entries with that flag can generate wildcard
certificates.
A final interesting property is that if you only create an entry with the CA being ";", then no one is allowed to
generate a certificate for the specified domain (if there are no CAA entries, then everyone is).
References#
- https://letsencrypt.org/docs/caa/
- https://community.letsencrypt.org/t/caa-issuewild-question/159018/4
- https://www.thesslstore.com/blog/what-is-caa-record-certificate-authority-authorization/
Credits#
- Cover Photo by Scott Rodgerson Unsplash