Let's Encrypt accounturi for CAA record

Hi there - I want to further lock down my CAA record by allowing only Netlify’s Let’s Encrypt account issue certificates. I currently have the following DNS records:

mydomain.com.	5	IN	CAA	0 iodef "mailto:abuse@mydomain.com"
mydomain.com.	5	IN	CAA	0 issue "letsencrypt.org"

However, this allows any Let’s Encrypt account to create certificates for my domain. I would like to add the accounturi parameter which takes the form:

https://acme-v02.api.letsencrypt.org/acme/acct/1234567890

What is Netlify’s Let’s Encrypt accounturi? I recognize that not all CAs will recognize the accounturi parameter, but Let’s Encrypt is the only CA I use.

Could the accounturi please be shared and added to the documentation?

I don’t think we can give that out. If you have more specific needs like this, you should get your own custom certificate (e.g. one from lets encrypt) and upload/manage it yourself.

Sorry I don’t have better news for you today!

Sorry, I’m not sure I understand why you can’t give it out? CAA records are part of the public DNS record, so I don’t see what LE would recommend adding an accounturi parameter if it wasn’t intended to be public. Even netlify.com encodes their digicert.com account into the CAA record:

$ dig CAA netlify.com +short
128 issue "digicert.com;account=2d83e9ac9b6776c3f215150f6ebceea8cefe3bc2e1fb5efffb1d71e200575226"
128 issue "amazon.com"
128 iodef "mailto:security@netlify.com"

As does Facebook:

dig CAA facebook.com +short
0 issue "digicert.com; account=271b0beda0771d006aa3a6c11b05187d456d6c239b46cb5241196095b09c92af"

The account key is the secret part that should not be shared externally.

I’ll ask our networking team. The fact that we have never given it out after issuing millions of certificates via lets encrypt just makes me think it is not something we give out. Nobody else has ever - in the history of using Netlify - needed that information. So I think the request is probably not necessary for any use cases we want to support, but I shall ask instead of assuming further.

I expect we’ll get an answer later next week.

Thanks for your patience! Team agreed with your assessment, so here’s the account ID (presumably just the digits at the end).

https://acme-v02.api.letsencrypt.org/acme/acct/54403714

I’ll be curious to hear if you are able to configure a CAA record successfully - let us know how it goes!

Hey - thank you for that :). Based on my understanding of the docs, I think the CAA records expects the full URL (e.g. letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/54403714)

Anyway, here’s the current CAA record for sethvargo.com:

sethvargo.com.		300	IN	CAA	0 iodef "mailto:abuse@sethvargo.com"
sethvargo.com.		300	IN	CAA	0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/54403714"

I attempted to click “renew certificate” from Netlify. I don’t get an error, but I also don’t get a new certificate. I’m not sure how to tell if it’s succeeding beyond waiting 2 months and seeing if it fails?

I haven’t gotten an error, but Cloudflare is also supposed to email me when a new cert is issued for my domain, and I haven’t gotten an email. Is there a place where I could look for logs for failures on the Netlify side?

Do y’all happen to stage certs first or use dry-run? (reference)

Not sure about the answer to those last two questions (I think the answer is no), but I can tell you we won’t even attempt a renew via any user-attempted method, until/unless the cert is closer to expiration.

I just renewed via our API and it seemed to work…er…hmm. It updated a last_successful_renewal_at timestamp to today, but I don’t see the expires_at timestamp extending which makes me think that may just be an internal designator rather than us actually going via LE.

You could definitely trigger a renewal by adding a new domain alias though - maybe you have a way to easily create a dummy domain name you can add in there that points to us (which you can of course remove thereafter) to test things out?

Ah got it - I misunderstood how renewal works. I can confirm adding a subdomain and renewing successfully provisions a new and valid cert

Any chance of adding an example to the Netlify docs? I do think it’s a risk that customers set CAA records that allow anyone with a LE account to provision certs instead of restricting it to specific accounts.

We’ve asked the docs team to review this thread.

@sethvargo - Thanks for your suggestion about how we could improve our docs! I wanted to let you know that we’ve updated our docs on Netlify-managed certificates to include Netlify’s accounturi. Thanks again!

Thanks! I think you linked to the deploy preview (which I don’t have access too), but I found it linked on the public docs. Thank you so much - this is really great for customers!

oops! Sorry about that and thanks for letting me know. I updated the link in my original message

Thanks a lot for the addition in the doc, I was just looking for that too

However, just out of curiosity, this is the very first time I’ve seen a CAA record with just the account address, with nothing in front of it, compared to what we find here: Certificate Authority Authorization (CAA) - Let's Encrypt

Do you know if it’s possible to add a validation method for this record?
validationmethods=http-01
validationmethods=dns-01
validationmethods=tls-alpn-01

Thanks again

When using Netlify DNS, we use DNS validation, when using external DNS, we use HTTP validation. You can add that accordingly.

Thank you for these clarifications