AWS CAA failing

I saw this:

https://forums.aws.amazon.com/thread.jspa?messageID=847603&tstart=0

and this

Do I need to just add CAA records for every aws url?

I did that already but maybe I need to give it some time to propogate?

Wow, that’s a lot of CAA records you’ll have to add. They’ll propagate quickly, but I don’t know how long it takes a CA to notice it’s been updated. You can check your domain’s CAA records at dnschecker.org

Do you have AMP URL enabled ? As Cloudflare will auto add CAA if you enable AMP Real URL Configuring CAA Records – Cloudflare Help Center

Cloudflare also adds CAA records when AMP Real URL is enabled under the Optimization tab of the Cloudflare Speed app. Cloudflare does not append additional CAA records if Universal SSL is disabled or if no CAA records are added via the DNS app.

These CAA DNS records do not display in the Cloudflare dashboard DNS app. However, if you run a command line query using dig , any existing CAA records will show, including the ones added by Cloudflare Universal SSL.

If you use AWS for any form of SSL certificate issuance with Cloudflare, you will need the following CAA records for amazonaws.com, amazon.com, amazontrust.com and awstrust.com for both issue/issuewild - I don’t use CAA myself but this is what one of friends need with AWS SSL issuance when AMP Real URL is enabled

You can check your domain via dig command

dig +short CAA yourdomain.com | sort

dig output when AMP Real URL enabled and additional AWS CAA records added

0 issue "amazonaws.com"
0 issue "amazon.com"
0 issue "amazontrust.com"
0 issue "awstrust.com"
0 issue "comodoca.com"
0 issue "digicert.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issuewild "amazonaws.com"
0 issuewild "amazon.com"
0 issuewild "amazontrust.com"
0 issuewild "awstrust.com"
0 issuewild "comodoca.com"
0 issuewild "digicert.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
1 Like

The Amazon docs state that you only need one of these, not all four.

1 Like

Actually AWS docs aren’t correct it seems. The advice for all 4 entries for my friend came from AWS paid tech support rep themselves and it did fix my friend’s issue with AWS and Cloudflare for CAA :slight_smile: Not the first time docs don’t have the full info :slight_smile:

4 Likes

I’ve never had an issue just using Amazon.com, but they might have alternative verification paths that do something strange.

Yeah hard to say if my friends issue was once off or not. Once they added all 4 domains for issue/issuewild, it all worked fine. Maybe it’s related to enabling CF AMP Real URL?

The SXG certs used by AMP Real URL require a CAA record with the cansignhttpexchanges extension, and once you have any CAA record you need to authorise every CA you use.

1 Like

Indeed, makes sense :slight_smile:

Hi all, I needed to add a bunch of CA records. Then make sure the CNAME record I wanted was “DNS only” THEN had to delete the cert on amazon and re-add it fresh for it to fully work (this was the key, because I kept refreshing after the first failure, and it never validated, but after re-adding it worked).

2 Likes

Good to know!