We host a website through the DigitalOcean app platform, which uses Cloudflare. We’re adding CAA records to our domains to lock down who can get certs.
What CAA records to I need to add to permit Cloudflare to get the certs it needs for our website? Searching I see some indications that Cloudflare rotates through a number of different CAs when issuing certs, but I can’t find an authoritative list, or what those CAs want to be called in CAA records.
It should be these for Universal SSL. These should be added automatically if you’re using Cloudflare for DNS though.
example.com. IN CAA 0 issue "comodoca.com"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild "comodoca.com"
example.com. IN CAA 0 issuewild "digicert.com"
example.com. IN CAA 0 issuewild "letsencrypt.org"
If you’re using Cloudflare for SaaS then it should be:
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
https://developers.cloudflare.com/ssl/ssl-for-saas/troubleshooting
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.