- Newest
- Most votes
- Most comments
Solved my own question, maybe it is CloudFlare who suddenly sets CAA automatically on the root domain and that's what prevents our CI pipeline from invoking ACM validation.
So our problem is essentially a misconfiguration on wildcard subdomains, such that the line below is wrong
* CAA 0 issue amazon.com
and instead we should use
@ CAA 0 issuewild amazon.com
Edited by: iLake on Oct 22, 2019 12:15 AM
Hi, so you only setting for "amazon.com"?
How about amazontrust.com , awstrust.com , amazonaws.com?
Can you share your screenshot from CloudFlare please? I'm still having CAA error :(
Notice the difference between @
versus *
for the wildcard. It should be @
.
Here is an example:
After saving, it looks like so:
Using dig
on the cli, you should see something like so (notice "amazon.com"
on the first line):
dig +short CAA benfran.com | sort
0 issue "amazon.com"
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
I only had to specify the one Amazon CA, "amazon.com" not all four. That aligns with the documentation too:
...a CAA record that specifies one of the following four Amazon CAs...
https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
Relevant content
- Accepted Answerasked 10 days ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago