Missing Certificate Authority Authorization Rule

We were alerted to a potential issue using CF’s SSL cert. Our site uses LetsEncrypt but since we’re proxying the whole site through CF, it seems this isn’t something we can fix on our end and don’t know whether it actually needs fixing.

They’ve told us “Certificate Authority Authorization (supported by LetsEncrypt and other CAs) allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA of record for the target site. This helps reduce the threat of a bad guy tricking a Certificate Authority into issuing a phony certificate for your site.
The CAA rule is stored as a DNS resource record of type 257.”

And upon verifying it at https://caatest.co.uk/'our site’ --it in fact returns with "✘ Couldn’t find a CAA record

No CAA found"

So, what should we do?

Cheers and thanks for your help.

There are two scenarios where CAA comes into play.

  1. You have no CAA records. In that situation any CA can issue a certificate for your domain/hostname if it is authorised in the normal way (as per the rules of the CA/B Forum).

  2. You have some CAA records. In this situation the issuing CA must verify that they are included in the CAA records.

As you have no CAA records, it does not need fixing.

Thank you for the reply Michael,
We will disregard this potential issue a security researcher brought to our attention.

Was this some “Ethical Hacker” looking for a bug bounty?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.