By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cert Renewal Fails Due to CAA mismatch, Can't Authorize Additional CA

0

I recently received an email that AWS failed to renew certificates for subdomains whose DNS is through Route53. The root domain uses a certificate from another authority. There is a mismatch in the CAA records because the current record is for the root domain which uses a certificate from the different certificate authority, so AWS fails to renew. Fine, I thought... I will just add the appropriate record to additionally authorize AWS.

Now, research tells me that you cannot list multiple authorities in a single CAA record, and that the appropriate process is to create multiple CAA records. But:

  • Route53 errors when attempting to create another CAA record for the root, complaining the record already exists (research says this actually should be valid).
  • Route53 errors when attempting to create a CAA record for the specific subdomains under the AWS certificate, complaining that the subdomain.example.com CAA is in conflict with example.com CAA (research says this actually should be valid).

So it seems that AWS Route53 implementation of CAA is bugged and it is not possible to renew my AWS certificates unless AWS can alter their own code. Please advise.

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
rePost-User-3008304
asked 2 years ago403 views
1 Answer
0

Thank you for the detailed analysis/description.

CAA record type is supported in Route 53 while we might consider its format listed in doc [1], especially that the coexistence of CAA and CNAME record with the same name is not allowed.

For example via the Route 53 Console, creating a single CAA record to include all of the required CAs should be sufficient for ACM validation:

Route 53 Console

More CAA record examples are available in https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html while I also find https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ extremely helpful in understanding how CAA validation works in ACM.

If the issue persists, please feel free to provide additional information for further discussion.

[1] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html#CAAFormat

AWS
weidi
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content