Skip to main content

AutoSSL CAA with accounturi Support / Possible Issue

Kelsey Ferencz
  • Edited

We are trying to install an SSL certificate via AutoSSL for a new domain that has a CAA record that will only allow Let's Encrypt to issue, with an accountURI value that matches the Provider ID listed in cPanel. The CAA record reads:

DOMAIN-NAME.com. 0 IN CAA 0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/XXXXXXXX"

with the X's and DOMAIN-NAME replaced with our server-specific items. 

With this CAA record in place, we receive AutoSSL errors that note the CAA forbids Let's Encrypt from issuing the certificate, even though it should be allowed based on the above. Interestingly, if we remove the accounturi parameter from the CAA record and simply set it to "letsencrypt.org", the certificate issues properly. In an effort to harden the security of our CAA record, we would like to keep the accounturi parameter in place. 

Does AutoSSL support issuing certificates via Let's Encrypt with a hardened CAA record that includes the accounturi parameter? https://letsencrypt.org/docs/caa/#examples. Is there something specific we need to configure on the cPanel / WHM side to support this? The AutoSSL logs are fairly vague, so we're having trouble debugging this. The Let's Encrypt team has indicated the CAA record itself looks correct. 

Comments

4 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  At this time it seems these are not supported as we've had one other user try this configuration and it also caused problems with AutoSSL.

    Would you like me to make a feature request with the SSL team to see if that's something they'd like to add?  You can also submit this yourself over at features.cpanel.net if you'd like.

    0
  • Kelsey Ferencz

    Yes, please add this as a feature request. Thank you!

    0
  • cPRex Jurassic Moderator

    Sure thing - I've submitted that now and I'll bring that up with our team during our weekly meeting.  Once I have an update I'll post here with that information.

    0
  • cPRex Jurassic Moderator

    Update - I did speak with the development team on Friday and they liked this idea.  I've created case CPANEL-47037 so they can explore what it would take to support the accounturi option in the CAA field.  I've linked this thread to the case so if I get any updates from the team I'll be sure to share them!

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post