We were alerted to a potential issue using CF’s SSL cert. Our site uses LetsEncrypt but since we’re proxying the whole site through CF, it seems this isn’t something we can fix on our end and don’t know whether it actually needs fixing.
They’ve told us “Certificate Authority Authorization (supported by LetsEncrypt and other CAs) allows a domain owner to specify which Certificate Authorities should be allowed to issue certificates for the domain. All CAA-compliant certificate authorities should refuse to issue a certificate unless they are the CA of record for the target site. This helps reduce the threat of a bad guy tricking a Certificate Authority into issuing a phony certificate for your site.
The CAA rule is stored as a DNS resource record of type 257.”
And upon verifying it at https://caatest.co.uk/'our site’ --it in fact returns with "✘ Couldn’t find a CAA record
No CAA found"
So, what should we do?
Cheers and thanks for your help.