Let’s Encrypt ACME CAA Limitation

Not all the domain name are supported by Let’s Encrypt ACME

Photo by Markus Winkler from Unsplash

Introduction

To host a website or web application securely, you may want to serve it over HTTPS (HTTP over SSL, or should be over TLS now) only and disable HTTP or, better, to always redirect it to HTTPS.

Traefik Error Log

Let’s get back to my situation. When I tried to setup a new IngressRoute with certificate resolver for my whoami application for a specific domain, I got these errors in the Traefik’s log:

Unable to obtain ACME certificate for domains "this.isnotwork.com": unable to generate a certificate for the domains [this.isnotwork.com]: error: one or more domains had a problem:
[this.isnotwork.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up CAA for this.isnotwork.com
Unable to obtain ACME certificate for domains "this.isnotwork.com": unable to generate a certificate for the domains [this.isnotwork.com]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Certificate Authority Authorization (CAA)

In short, Let’s Encrypt (or any CA) should query for a CAA record from the DNS server to determine if it is authorized to issue a certificate for that specific domain. This is to prevent mis-issue certificates that could potentially affect every domain names.

Verify CAA

You can verify if your domain name is compatible with Let’s Encrypt ACME by using https://unboundtest.com/ which simulate like what Let’s Encrypt will perform when it’s trying to issue a certificate.

Solution

Contact your DNS service provider whether they can add CAA record for you or otherwise change the service provider. Most of DNS service providers should support CAA record out of the box. You may check out this list from Traefik documentation page.

Azure DNS

Here, I have tried to add a new A record under my Azure DNS zone and CAA query works fine.

Azure DNS A Record — screen captured by the author
Azure DNS CAA record — screen captured by the author

CNAME Record

The other question still persists. Can I use CNAME record for my domain name?