Time doth transfix the flourish set on youth. And delves the parallels in beauty's brow.

HTTPS Certificate and CAA


Last time I talked about using Caddy as a reverse proxy HTTP server, so I don't have to worry about HTTPS certificates, but today I ran into a worrying thing.

In addition to the web app of the blog you're reading, I also have some other gadgets hanging on the secondary domain name, such as wow.hegwin.me is a warcraft pet tool , when I added it to Caddy's configuration, a few lines of errors appeared:

ERROR   http.acme_client    challenge failed    {"identifier": "wow.hegwin.me", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: query timed out looking up CAA for wow.hegwin.me", "instance": "", "subproblems": []}}

ERROR   http.acme_client    validating authorization    {"identifier": "wow.hegwin.me", "problem": {"type": "urn:ietf:params:acme:error:dns", "title": "", "detail": "DNS problem: query timed out looking up CAA for wow.hegwin.me", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/893851047/155797659767", "attempt": 1, "max_attempts": 3}

Note that the "DNS problem: query timed out looking up CAA" is the key part of the error, and I wondered why the top-level domain was fine but the secondary domain was not.

For domain name resolution, I'm using DNS.LA, where both the top-level domain and the secondary domain are set up as type A. Then, amazingly, DNS.LA only gave CAA to the primary domain, and I could use the following dig command to CAA the situation (btw, domain name resolution and CAA are two separate things).

dig @dns.server domain.com caa
dig @dns.server sub domain.com caa

If there is no CAA record, a Timeout will be returned:

; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Caddy cannot use acme to obtain HTTPS certificates because the CAA lookup of the secondary domain name fails.

My solution is...Since the top-level domain name is fine, let’s ignore it. For the sub-domain name problem, I can only go back to GoDaddy to configure the resolution to solve the lack of CAA, mainly considering the following aspects:

  1. Godaddy's domain name resolution will obviously slow down domestic access, it is best not to use it in China, but it is acceptable for experimental projects
  2. For domestic DNS resolution providers, if you want to set up domestic and overseas domain name resolution separately, the price is relatively high
  3. The HTTPS certificate is renewed every three months. It is too troublesome to manually switch to GoDaddy every time after the renewal and then switch back

What are CAAs?

CAA = Certification Authority Authorization, mainly to restrict the issuance of certificates for any domain name to prevent phishing. For example, if someone issues an HTTPS certificate to a website domain name that does not belong to him, that is obviously illegal, and the domain name owner should be notified at this time.

< Back