flyctl cert check

[tqbf]

Someone had trouble issuing a certificate for their Fly app today, and it turned out that they had a CAA record set on the subdomain they were using; CAA records tell CAs which CAs are allowed to issue certificates. Your CAA record might for instance say that only Amazon's CA can issue a certificate for "foo.example.com"; in that case, LetsEncrypt will refuse to issue a certificate for it.

We should have a command to check domain configuration to rule out the basic reasons why LetsEncrypt's issuance might fail, so people aren't confused or stalled when simple misconfigurations have happened.

We'd call this flyctl cert check.

A starting point for this command, which might do a bunch of different checks, would be to check for CAA records. If no CAA record exists in a subdomain (like "foo.example.com"), or in its parent ("example.com"), then there's no problem. If a CAA record DOES exist, it needs to include "letsencrypt.org", or we can't issue certs. The CAA record will either need to be modified or removed.

More on LetsEncrypt CAA behavior here:

https://letsencrypt.org/docs/caa/

We can register a domain and set CAA records on it to test this, or I can set up a domain with CAA on it.

[rugwirobaker]

Since there already is a certs check command wouldn't this be confusing?

[redjonzaci]

@rugwirobaker hey there! What do you think we should do about this issue?