Does Cloudflare support CAA for the Let's Encrypt?

Hello!

Does Cloudflare answer correctly to CAA record request with Let’s Encrypt?

I faced with that list https://sslmate.com/caa/support and saw

Cloudflare | Broken | Does not return CNAME record when queried for a CAA record.

Could you clarify that point or share docs about Cloudflare + Let’s Encrypt. Thank you

It does work, I have it set-up for my own domain.

2 Likes

Good news! Could you share docs, example for your domains?

Add a simple CAA records, there is no documentation needed. Just in case…

https://support.dnsimple.com/articles/caa-record/

yep, I faced with that docs


Is it right?

Seems to be. I would also add a iodef one to report “violations”.

Hm, ok. But now it’s doesn’t work.

Proxy by Cloudflare is disable, right?

Am I right that current certs available for ravecat.io and all subdomain *.ravecat.io?

So as I understand after getting cert for any subdomain my counter increase on 1?

Which counter?

0 issues letsencrypt.org

Do you have similar records for Let’s Encrypt?

That isn’t a counter, it won’t change. It’s a record you are adding, it will stay the same forever. There is no counter, it’s a record the CAs query to check if they are allowed to issue for your domain.

To monitor enable “Certificate Transparency Monitoring” in https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

1 Like

I have cert managed by Cloudflare. Where is Let’s Encrypt?

You won’t see anything in the dashboard, the ones you are seeing are the ones that Cloudflare uses if you enable proxying for encrypting the connection towards the users, you will receive an e-mail for every new certificate that is issued.

For which record I need enable proxying? And what mail? Maybe Cloudflare has docs about working with Let’s encrypt certs, probably, I steal your time for silly questions.

The HTTP/HTTPS ones, the main reason why people normally enable Cloudflare.

Read and look around this…

https://www.cloudflare.com/learning/

Read here… https://blog.cloudflare.com/introducing-certificate-transparency-monitoring/

No guide, it’s the same as any other certificate, no specific configuration needed on Cloudflare’s part.

Yep, I know about that simple scheme. Enable proxy and site have HTTPS, it’s feature out of the box, but how can I use Let’s encrypt cert, maybe any shared guide step by step?

You can’t use a Let’s Encrypt cert towards the user (unless you upgrade to Business, but it’s totally unnecessary), you must use the one provided by Cloudflare. There is no reason to use Let’s Encrypt, why would you want to do that?

Let’s Encrypt is useful if you want (as it’s highly recommended) to have HTTPS towards the origin server as well.

Oh, thank you for clarification, I glad that we stay near one point.

I know about out of box CF features like proxifier.

But my question was about ability to bind let’s encrypt cert, which I can use with wildcard records as I understand, because on my server I generate many sub-domain records and manual addition every record with CF isn’t good for me.

So as I understand it’s depend on my account plan.

Thank you for you time

The default Cloudflare cert supports the base domain and the first wildcard. All first order subdomains have a cert that works. Additional ones, second level, will need an additional cert on Cloudflare at 10$/month (they can’t issue infinite free certs for each domain…).

You can add a wildcard record to DNS in Cloudflare, but it can be proxied only using Enterprise. You can add the records via the API, if you want.

api.cloudflare.com

Thank you for answer, yep I thought about create with API request, but it’s backup plan