CAA Failure for CloudFlare DNS?

0

We maintain a number of domains and requests certificates for CloudFront to S3 distributions, the zones are all hosted in CloudFlare and most of them passes CM validation without problems.

But recently one of our domains are hitting this CAA failure, after successfully validating via DNS CNAME method. We know that CloudFlare adds their own CAA domains automatically, so AWS's option of leaving them blank may not work. We went ahead and added 4 CAA domains for amazon, but it still fails with CAA Error without further details on what we should do.

What exactly is CM requiring for CAA? Or is it even CAA related?

iLake
질문됨 5년 전995회 조회
3개 답변
0

Solved my own question, maybe it is CloudFlare who suddenly sets CAA automatically on the root domain and that's what prevents our CI pipeline from invoking ACM validation.

So our problem is essentially a misconfiguration on wildcard subdomains, such that the line below is wrong * CAA 0 issue amazon.com and instead we should use

@ CAA 0 issuewild amazon.com

Edited by: iLake on Oct 22, 2019 12:15 AM

iLake
답변함 5년 전
0

Hi, so you only setting for "amazon.com"?

How about amazontrust.com , awstrust.com , amazonaws.com?

Can you share your screenshot from CloudFlare please? I'm still having CAA error :(

답변함 5년 전
0

Notice the difference between @ versus * for the wildcard. It should be @. Here is an example: Enter image description here

After saving, it looks like so: Enter image description here

Using dig on the cli, you should see something like so (notice "amazon.com" on the first line):

dig +short CAA benfran.com | sort
0 issue "amazon.com"
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"

I only had to specify the one Amazon CA, "amazon.com" not all four. That aligns with the documentation too:

...a CAA record that specifies one of the following four Amazon CAs...

https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html

답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠