Allow Let's encrypt wildcard subdomain certificates in CAA records

renne commented 1 year ago

Describe the bug

The CAA DNS resource records suggested by Yunohost/created by the autodns feature include only an "issue" statement for single subdomain certificates. A strict implementation must not create wildcard certificates.

Context

Hardware: Proxmox KVM on bare metal
YunoHost version: 11.0.11
I have access to my server: Through SSH | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no

To reproduce

Go to the DNS settings of a domain and view the suggested DNS CAA resource records -> no "issuewild" statement.

Expected behavior

The suggested CAA-RRs should contain an "issuewild" statement to allow the creation of wildcard subdomain certificates.

tituspijean commented 1 year ago

renne commented 1 year ago

@alexAubin @tituspijean Just add additional CAA resource records in /src/dns.py lines 141 and 251 (dev-branch) with the "issuewild" tag. It is the same record like the "issue" tag:

;; CAA Records
example.com.    3600    IN  CAA 0 issue     "letsencrypt.org"
example.com.    3600    IN  CAA 0 issuewild "letsencrypt.org"

After that change Let's Encrypt wildcard-certificates can be requested via the DNS-challenge.

YunoHost / issues