CAA Failure for CloudFlare DNS?

0

We maintain a number of domains and requests certificates for CloudFront to S3 distributions, the zones are all hosted in CloudFlare and most of them passes CM validation without problems.

But recently one of our domains are hitting this CAA failure, after successfully validating via DNS CNAME method. We know that CloudFlare adds their own CAA domains automatically, so AWS's option of leaving them blank may not work. We went ahead and added 4 CAA domains for amazon, but it still fails with CAA Error without further details on what we should do.

What exactly is CM requiring for CAA? Or is it even CAA related?

iLake
質問済み 5年前1000ビュー
3回答
0

Solved my own question, maybe it is CloudFlare who suddenly sets CAA automatically on the root domain and that's what prevents our CI pipeline from invoking ACM validation.

So our problem is essentially a misconfiguration on wildcard subdomains, such that the line below is wrong * CAA 0 issue amazon.com and instead we should use

@ CAA 0 issuewild amazon.com

Edited by: iLake on Oct 22, 2019 12:15 AM

iLake
回答済み 5年前
0

Hi, so you only setting for "amazon.com"?

How about amazontrust.com , awstrust.com , amazonaws.com?

Can you share your screenshot from CloudFlare please? I'm still having CAA error :(

回答済み 5年前
0

Notice the difference between @ versus * for the wildcard. It should be @. Here is an example: Enter image description here

After saving, it looks like so: Enter image description here

Using dig on the cli, you should see something like so (notice "amazon.com" on the first line):

dig +short CAA benfran.com | sort
0 issue "amazon.com"
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"

I only had to specify the one Amazon CA, "amazon.com" not all four. That aligns with the documentation too:

...a CAA record that specifies one of the following four Amazon CAs...

https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html

回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ