Open alexhass opened 5 years ago
Please share the domain names for us to investigate in private message at https://community.qualys.com/people/nshah
After the investigation, we will update about the status of it
Have you been able to review the issue?
@alexhass can please connect with on personal message I have the domains that were shared by you. I'm not able to reproduce the issue so I would need your help on reproducing the scenario for the domains shared by you.
Regards, Nauman Shah
@alexhass
The domain name shared by you. For that domain name, I'm not able to replicate the issue. Can you help me with some tools or commands that will allow me to identify the CAA record?
Thanks and Regards, Nauman Shah
Hi,
Similar case: main domain has a CAA record, but CNAMEd domain does not:
Hostname: idee.quickline.ch (which is hosted on cloudflare).
Given the domain with a CAA:
$ dig +short quickline.ch caa 0 iodef "mailto:ops@as15600.net" 0 issue "letsencrypt.org; validationmethods=dns-01" 0 issuewild "letsencrypt.org; validationmethods=dns-01"
The SSLLabs test claims that is the CAA record, which is false, as quickline.uservoice.com CAA should be checked, which has no policy.
CNAME:
$ dig +short idee.quickline.ch cname quickline.uservoice.com.
No CAA for the final domain:
$ dig +short quickline.uservoice.com. caa
Additionally: SSLLabs gives an A+ at the moment for idee.quickline.ch, which has a SSL certificate issued by Cloudflare, .... thus if you think the policy of quickline.ch should be used, then that means that the Cloudflare issue is invalid.
Though... of course, the one checking the CAA record is normally the CA, and they might just ignore CAA; but I think it would be really good to have not a 'green CAA is great' but a "There is a CAA record, but the CA used for this certificate does not match the CAA that certificate'
Though... there are people who revoke the CAA record the moment they have issued the certificate. Hence, a mismatched CAA policy / CA from the cert should only raise a warning, as the certificate does work and the CAA might have been valid at the time of issue.
Issue:
CAA not read from CNAME domain.
Repro:
example.com
I configured CAA:example.com. CAA 128 issue "letsencrypt.org"
A
recordfoo.mydomain.net.example.com
has beed added.mydomain.net
domain has no CAA DNS entries configured.foo.mydomain.net CNAME foo.mydomain.net.example.com
www.example.com
shows that CAA exists as configured.foo.mydomain.net.example.com
shows that CAA exists as configured.foo.mydomain.net
and it tells me CAA does not exist! This is not correct.Per https://letsencrypt.org/docs/caa/ this should work, but it does not.
Is this a known bug? Can you fix it, please?