CAA Failure for CloudFlare DNS?

0

We maintain a number of domains and requests certificates for CloudFront to S3 distributions, the zones are all hosted in CloudFlare and most of them passes CM validation without problems.

But recently one of our domains are hitting this CAA failure, after successfully validating via DNS CNAME method. We know that CloudFlare adds their own CAA domains automatically, so AWS's option of leaving them blank may not work. We went ahead and added 4 CAA domains for amazon, but it still fails with CAA Error without further details on what we should do.

What exactly is CM requiring for CAA? Or is it even CAA related?

iLake
已提問 5 年前檢視次數 997 次
3 個答案
0

Solved my own question, maybe it is CloudFlare who suddenly sets CAA automatically on the root domain and that's what prevents our CI pipeline from invoking ACM validation.

So our problem is essentially a misconfiguration on wildcard subdomains, such that the line below is wrong * CAA 0 issue amazon.com and instead we should use

@ CAA 0 issuewild amazon.com

Edited by: iLake on Oct 22, 2019 12:15 AM

iLake
已回答 5 年前
0

Hi, so you only setting for "amazon.com"?

How about amazontrust.com , awstrust.com , amazonaws.com?

Can you share your screenshot from CloudFlare please? I'm still having CAA error :(

已回答 5 年前
0

Notice the difference between @ versus * for the wildcard. It should be @. Here is an example: Enter image description here

After saving, it looks like so: Enter image description here

Using dig on the cli, you should see something like so (notice "amazon.com" on the first line):

dig +short CAA benfran.com | sort
0 issue "amazon.com"
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"

I only had to specify the one Amazon CA, "amazon.com" not all four. That aligns with the documentation too:

...a CAA record that specifies one of the following four Amazon CAs...

https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html

已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南