CAA Failure for CloudFlare DNS?

0

We maintain a number of domains and requests certificates for CloudFront to S3 distributions, the zones are all hosted in CloudFlare and most of them passes CM validation without problems.

But recently one of our domains are hitting this CAA failure, after successfully validating via DNS CNAME method. We know that CloudFlare adds their own CAA domains automatically, so AWS's option of leaving them blank may not work. We went ahead and added 4 CAA domains for amazon, but it still fails with CAA Error without further details on what we should do.

What exactly is CM requiring for CAA? Or is it even CAA related?

iLake
posta 5 anni fa997 visualizzazioni
3 Risposte
0

Solved my own question, maybe it is CloudFlare who suddenly sets CAA automatically on the root domain and that's what prevents our CI pipeline from invoking ACM validation.

So our problem is essentially a misconfiguration on wildcard subdomains, such that the line below is wrong * CAA 0 issue amazon.com and instead we should use

@ CAA 0 issuewild amazon.com

Edited by: iLake on Oct 22, 2019 12:15 AM

iLake
con risposta 5 anni fa
0

Hi, so you only setting for "amazon.com"?

How about amazontrust.com , awstrust.com , amazonaws.com?

Can you share your screenshot from CloudFlare please? I'm still having CAA error :(

con risposta 5 anni fa
0

Notice the difference between @ versus * for the wildcard. It should be @. Here is an example: Enter image description here

After saving, it looks like so: Enter image description here

Using dig on the cli, you should see something like so (notice "amazon.com" on the first line):

dig +short CAA benfran.com | sort
0 issue "amazon.com"
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"

I only had to specify the one Amazon CA, "amazon.com" not all four. That aligns with the documentation too:

...a CAA record that specifies one of the following four Amazon CAs...

https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html

con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande