CAA record

I can’t see CAA record but CAA record exists in GoDaddy. Please advise.

https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ

Cloudflare adds these in the background if you add your own CAA record, to make sure Universal SSL continues to work.

example.com. IN CAA 0 issue "comodoca.com"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild "comodoca.com"
example.com. IN CAA 0 issuewild "digicert.com"
example.com. IN CAA 0 issuewild "letsencrypt.org"

Ok so I added a CAA record for subdomain

Name: new (for example)
Flags: 0 (required)
TTL: Auto
Tag (required): Only allow specific hostnames
CA domain name (required): new.domain.com

I presume this is correct

This attribute should be the identifier used by the Certificate Authority you are planning to use.

Cloudflare also add CAA records if you enable AMP Real URL.

Name: new (for example)
Flags: 0 (required)
TTL: Auto
Tag (required): Only allow specific hostnames
CA domain name (required): comodoca

Then repeat using digicert and letsencrypt.org

Result should be as follows:

new.domain.com. IN CAA 0 issue “comodoca.com
new.domain.com. IN CAA 0 issue “digicert.com
new.domain.com. IN CAA 0 issue “letsencrypt.org
new.domain.com. IN CAA 0 issuewild “comodoca.com
new.domain.com. IN CAA 0 issuewild “digicert.com
new.domain.com. IN CAA 0 issuewild “letsencrypt.org

Is this correct?

It depends on what you are trying to do. You should add CAA records where you are issuing certificates yourself. Cloudflare will add their own CAA records as required for Amp Real URL or Universal Cloudflare certs.

OK so I disable Amp Real URL.

Do I need to add CAA records for example.com only, for example or do I need to add CAA records for subdomains as well? I am by no means an expert.

Thank you in advance.

According to this screenshot there is a CAA record that needs to be removed. I don’t know what steps to take in Cloudflare in order to view and/or remove CAA records.

I have attempted to upgrade from the free plan to the professional plan per a conversation I had with someone at sales with no luck. How do I upgrade the plan for a specific domain and have the upgrade remain place?

Your CAA records on allmar.com do not allow GoDaddy to issue certificates.

;; ANSWER SECTION:
allmar.com.		3589	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
allmar.com.		3589	IN	CAA	0 issuewild "letsencrypt.org"
allmar.com.		3589	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"
allmar.com.		3589	IN	CAA	0 issue "letsencrypt.org"
allmar.com.		3589	IN	CAA	0 issue "pki.goog; cansignhttpexchanges=yes"
allmar.com.		3589	IN	CAA	0 issuewild "comodoca.com"
allmar.com.		3589	IN	CAA	0 issuewild "pki.goog; cansignhttpexchanges=yes"
allmar.com.		3589	IN	CAA	0 issue "comodoca.com"

If you would like GoDaddy to be able to issue certificates, you need to add a CAA record that allows them to do this.

As an example, using Cloudflare DNS:

This is only required since you already have CAA records - if you don’t want to restrict who can issue certificates for your domain, you could also just remove your CAA records which wouldn’t restrict issuance at all.

Edit: for reference regarding GoDaddy’s CA domain name, check https://uk.godaddy.com/help/using-caa-records-with-your-ssl-certificate-27227

Thank you so very much. That fixed my problem. Have an awesome day!!!

1 Like

Cloudflare adds these in the background if you add your own CAA record, to make sure Universal SSL continues to work.

You know, while I’m glad they add those automatically, it’s rather annoying that they don’t actually show them in the dashboard.

I’d expect them to show up as uneditable CAA fields, so you know “These are here, we’re not going to let you touch them because it’d break immediately, disable Universal SSL if you want them to go away”.

It’s also weird that you can’t have them added without adding an additional CAA field yourself. They’re the sort of thing most people would benefit from enabling, much like SPF.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.