No CAA on netlify subdomains

Netlify site name: optimade-providers.netlify.app
Custom domain: providers.optimade.org
Error message:

  • First: SniCertificate::CertificateInvalidError: Unable to verify challenge for providers.optimade.org
    We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate"

  • Later: “Acme::Client::Error::RateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/ We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.”

I’ve tracked the issue down to a CAA record problem:

  • The sysadmins handling our top domain optimade.org wants only the CAA record sectigo.com there. There would be security implications allowing letsencrypt to issue a certificate for this top domain, and there is no reason to allow this.

  • providers.optimade.org is a CNAME to your servers. A subdomain with a CNAME record is formally not allowed to have other records, so we shouldn’t set a CAA record here.

  • You do not set any CAA records on the CNAME target.

This means that CAA resolution ends up finding the top domain CAA record that only allows sectigo.com. Hence, the letsencrypt renewal fails.

We don’t have the same issue with other subdomains to optimade.org hosted using GitHub pages, because they sensibly set CAA records for letsencrypt on their CNAME targets to avoid this issue.

Is there a reason you do not do the same thing? As far as I can see, if you won’t set letsencrypt CAA records at your end user CNAME targets the way GitHub pages do, we will have to “unnecessarily” provision a sectigo certificate also for our providers.optimade.org subdomain.

Hi, @rartino, it would be helpful to see one of these custom domains working with SSL at the GitHub pages. Would you please send us a URL for a site working with SSL and GitHub pages?

Hi @luke,

Thanks for the reply!

Sure, the most obvious subdomain we serve from GitHub pages is www.optimade.org:

> dig www.optimade.org cname +short @8.8.8.8
materials-consortia.github.io.

We also have schemas.optimade.org:

> dig schemas.optimade.org cname +short @8.8.8.8
materials-consortia.github.io.

As you see, these point at materials-consortia.github.io, which has:

> dig materials-consortia.github.io caa +short @8.8.8.8
0 issue "digicert.com"
0 issue "letsencrypt.org"
0 issuewild "digicert.com"

Compare that with providers.optimade.org:

> dig providers.optimade.org cname +short @8.8.8.8
optimade-providers.netlify.com.

Which doesn’t have any caa records:

> dig optimade-providers.netlify.com caa +short @8.8.8.8

However, I am realizing that GitHub does not (as far as I know) allow custom certificates. So to support configurations like ours, Netlify would need a bit more configurability around these records (at least the option for a letsencrypt CAA or no CAA record.) Still, I see a lot of questions around SSL certificates in these community forums. Setting letsencrypt CAAs on the CNAME target for everyone who uses a default autogenerated letsencrypt certificate would likely cut down those, since it will be much more difficult to end up with a CAA misconfiguration.

If you have a lets encrypt CAA record, we can use it. You’ll put it on the hostname itself: providers.optimade.org - you don’t need to change the record on the ROOT domain, you set one on the subdomain which will be used instead. Of course, if it’s a CNAME you’re using as you point out, that prevents other records.

Since we cannot change our own CAA, so you will need a custom certificate to use our service. You can of course get your own from lets encrypt (or your network admins can, I suppose), and update it every 85 days or so. But I’d buy one for a year if I were you.

I am confirming with my team that we can’t support this config, but if I recall correctly we just got turned down a few weeks ago. Will follow up if I was wrong!

Sorry we can’t support that configuration today!

Thanks for the reply and help!

you set [a CAA record] on the subdomain which will be used instead. Of course, if it’s a CNAME you’re using as you point out, that prevents other records.

Right, and having a CNAME is what you suggest for the configuration for subdomains. Does your answer mean that it is OK to instead use an A pointer to 104.198.14.52? Your docs don’t explicitly say that config is supported for subdomains.

In any case, we want to avoid the A pointer if we can, so we went ahead and, as you seem to suggest, installed a manual sectigo certificate instead (i.e., the same certificate authority we have for the root domain). Now everything is working, so our issue is resolved (at least for a year).

Nevertheless; I understand that re-configuring your DNS records is not something you do at a whim. But perhaps you can add the feature request that having the option of getting letsencrypt CAA records on the CNAME target could be useful for your customers (and, I would argue, is the reasonable default for people with auto-renewed letsencrypt certs). It could be done by just another domain alias; e.g., you ask us to CNAME to optimade-providers .le. netlify.app, and you put a letsencrypt CAA record there.

Thanks, best,
Rickard

1 Like

Hey @rartino,

Not a daft feature (and not a new request, either)! I’ve added your voice to the req and we’ll feed back to you if/when where’s movement on this.