The issue of SSL certificate being unable to issue due to the CNAME record pointing to Vercel affecting the CAA record.
Solution
The most drastic solution is to directly pause all DNS related to Vercel.
Or, first pause the resolution of the second-level domain to Vercel, that is, pause example.com->Vercel,
and then pause the Vercel of the affected subdomain, that is, pause a.example.com->Vercel.
Problem
Today, Alibaba Cloud informed me that an SSL certificate for one of my domains was about to expire. As an experienced developer, I opened the Alibaba Cloud console to apply for a new certificate.
However, something strange happened. Previously, the certificate could be issued within a minute, but this time it took a long time and it still didn’t work. I decided to take a nap and try again later.
When I woke up and opened the Alibaba Cloud console, I found that it still wasn’t successful. At this point, I still suspected that it was Alibaba Cloud’s problem. So I applied again using Freessl, but it still wasn’t successful in the afternoon. The result of the test using myssl.com is as follows:
| Region | Match |
|---|---|
| China | Not match (Validation failed. Your CAA configuration doesn’t allow the current CA to issue certificates for you. Please modify to: symantec.com or digicert.com) |
| Hong Kong | Not match (Validation failed. Your CAA configuration doesn’t allow the current CA to issue certificates for you. Please modify to: symantec.com or digicert.com) |
| United States | Not match (Validation failed. Your CAA configuration doesn’t allow the current CA to issue certificates for you. Please modify to: symantec.com or digicert.com) |
I haven’t set up any CAA records!
I thought it couldn’t be a DNS cache issue, right?
But I still went to the Alibaba Cloud console to temporarily stop resolving all DNS records. As a result, it actually worked! After investigation, I found that the problem was caused by the CNAME record pointing to Vercel. How could Vercel have the permission to set CAA records for me?!
Reason
After some searching, I finally figured out the reason, which was caused by the CAA record.
CAA (Certificate Authority Authorization) is a new additional field that can be added to DNS records to create CAA resource records through DNS mechanism, which can limit the connection between the domain name issuing the certificate and the CA (certificate authority). Unauthorized third parties attempting to obtain SSL/TLS certificates for the domain name through other CAs will be rejected. By setting a CAA record for the domain name, website owners can authorize specific CAs to issue certificates for their domain name, thereby preventing HTTPS certificate errors and improving website security.
An additional piece of knowledge is that CNAME records can affect CAA records:
CAA record checking continues for CNAME records pointing to a different domain. In this example, www.example.com points to www.example.net, which also has CAA records:
(Example 7 / www.example.com)
Domain Record type Flags Tag Value
www.example.com. CNAME www.example.net
www.example.net. CAA 0 issue ";"
(Result: CAA failed)The first record redirects the CAA check to www.example.net. This CAA record can prevent any CA from issuing a certificate, so the certificate authority cannot issue a certificate for www.example.com.
If the domain being pointed to (www.example.net) does not have a CAA record, then the CAA record check will climb up to the parent domain (example.com).
(Example 8 / www.example.com)
Domain Record type Flags Tag Value
www.example.com. CNAME www.example.net
example.com. CAA 0 issue "amazon.com"
(Result: CAA passed)In plain language, it means that because we set a CNAME record to point to Vercel, and Vercel set a CAA record, it affected our domain’s CAA record. After using a tool to check, we confirmed that this was indeed the case.:
{
"canIssue": false,
"status": "IssueMismatch",
"domain": "czqu.net",
"queryAt": "Sep 30, 2021 11:21:55 AM",
"elapsed": 1,
"caaRecordSet": [
{
"domain": "czqu.net",
"caaRecords": [
{
"issuerCritical": 0,
"tag": "issue",
"value": "letsencrypt.org",
"type": 257,
"dclass": 1,
"ttl": 60
},
{
"issuerCritical": 0,
"tag": "issue",
"value": "globalsign.com",
"type": 257,
"dclass": 1,
"ttl": 60
}
]
}
]
}