Hi there, Ive seem to run into an issue with multiple CAA records for a domain. Im using letsencrypt for the website, but the supplier of servers uses another (payed) one. I have multiple CAA records for this. I have to disable the suppliers CAA records for the letsencrypt to be able to regenerate and visa versa. Anybody else have this issue and know how to solve this?
Create for all CA authorities a CAA record that you or your supplier use for that domain and you should be fine.
Having multiple caa records should be fine and is within spec. have you checked that the domain really returns all caa records when queried?
Then there is something wrong with these records, or the CAA records are not yet widely enough propagated. When did you set them up? It may take up to 24hrs until they are broadly available. Another reason could be the wrong definition of issuewild and issue of CAA records. Also what returns your dns server when you query them for CAA records?
multiple CAA records should work fine.. it works for me with no problems. is one of the certificates supposed to allow wildcards? maybe the record is just being created using 'issue' instead of 'issuewild'? on a sidenote: @till does ispconfig allow the application of the iodef tag in CAA records? is this what the additional options field is for?
Not sure, I have not implemented the CAA records feature. I had a quick look at the code and it might even be that additional here means additional authorities and it creates more caa records in the background. I guess I will have to test it to see what gets added to the zone file if one uses the additional field.
any idea what syntax that would use? there's nothing about the CAA records in the 3.1 manual. AFIAK the iodef tag should be in it's own CAA record.
Hello, i have been trying to set CAA-Records through ISPConfig and have run into an issue regarding the iodef tag. Was anyone able to figure out if its possible to set the iodef record with ISP Config? I did try to use the options field but i had no luck so far.
what exactly did you try? i belief the whole CAA record for the cert should look like: <domain.tld> CAA 0 issue “letsencrypt.com” and for the iodef: <domain.tld> CAA 0 iodef "mailto:mailbox@<domain.tld>" but i don't see any way to do this in ispconfig, and it would apply the same email to all CAA records for the domain (if you have multiple) you could try putting: iodef=mailto:<[email protected]> into the options field for the CAA record, it will create a CAA record that looks like: <domain.tld> CAA 0 issue “letsencrypt.com; iodef=mailto:<[email protected]>” i have no idea if this will be seen as valid and work, but it looks like it would allow different email alert addresses for each certificate authority if it does work
