Prevent CAA records from Let's Encrypt

Discussion in 'General' started by WHO, Jun 22, 2022.

  1. WHO

    WHO Member HowtoForge Supporter


    After activating Let's Encrypt for a Domain, CAA records are automatically created. Is there a way to prevent this? Often the Let's Encrypt certificates are only created to bridge until the original certificate is available.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you do not want Let's Encrypt certificate, do not choose it. Get that other kind of certificate and enter it in the SSL tab.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I had not heard of this, and just checked the code but I don't see any function that does this. If it would exist I would be 99% sure we would have added a checkbox. Maybe this is a local change you made to a private branch?
  4. exynenem

    exynenem Member

    Pardon, but OP is right.
    It seems to be the default behavior that ISPConfig creates a CAA record when Let's Encrypt is enabled.

    Somehow I arranged myself with that behaviour over the years but from my own experience I can tell that it can get frustrating if one is not aware of this default behaviour and wants to issue a certificate from a certification authority and wonders why there is no progression in the issueing process.
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If that's the case, we should add a function to disable that, probably even disable it by default. Will look into the code.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Probably could leave it enabled by default, as this thread demonstrates it is an issue so infrequently that even after several years, most people don't know it exists. When you are using a certificate from a new authority, you simply add another CAA record for it (and delete the old one if appropriate).
    ahrasis likes this.
  7. michelangelo

    michelangelo Member

    I can live with it, if it is enabled by default.
    Nevertheless it would be nice to have a checkbox to disable this behaviour.

Share This Page