Skip to content

CAA Records for SSL Certificates

CAA records (Certification Authority Authorization) are used to validate which certificates are allowed to be used for a given website. They're an added layer of security to ensure no 3rd party certiciates are used for the main domain, or subdomains.

Enable CAA Records in DirectAdmin

The dns_caa variable should be enabled by default. To confirm it's status, run:

bash
da config-get dns_caa

If it's not set to 1, enable it:

bash
da config-set dns_caa 1 --restart

CAA records for Let's Encrypt

A sample CAA record in a dns zone might look like:

domain.com.  CAA  0 issue "letsencrypt.org"

The default TTL of 3600 is fine, unless you plan on changing to some other certifiate soon, which case you should remove the record entirely, or lower to 300 seconds if you wish to keep the cord until the last moment.

Automatically add a CAA records after a successful Let's Encrypt Request or Renewal

We can use the letsencrypt_post hook to trigger adding a CAA record if a Let's Encrypt request or rewal is successful.

To do this, create the hook script here (create the directory first):

/usr/local/directadmin/scripts/custom/letsencrypt_post/caa.sh

and add contents:

bash
#!/bin/sh
CAA_VALUE='0 issue "letsencrypt.org"'
TASKQ=/usr/local/directadmin/data/task.queue
CERT=/usr/local/directadmin/data/users/${username}/domains/${domain}.cert
if [ "$exit_code" -ne 0 ]; then
    exit 0
fi
if [ "$action" != "request" ] && [ "$action" != "renew" ]; then
    exit 0;
fi
if [ ! -s ${CERT} ]; then
    exit 0;
fi
if ! issuer=$(openssl x509 -in "$CERT" -noout -issuer 2>/dev/null); then
    exit 0;
fi
if ! grep -qi "Let's Encrypt" <<< "$issuer"; then
    exit 0;
fi

echo "action=dns&do=add&domain=${domain}&type=CAA&name=${domain}.&value=${CAA_VALUE}" >> $TASKQ
exit 0

Add CAA records for all current Let's Encrypt certifications with a dns zone

If you wish to add CAA records for all current Let's Encrypt certificates which have an associated DNS zone, a script can be used. The script below will:

  • check all current domain.com.cert files
  • ensure there is a related domain.com.db dns zone file
  • ensure that the certificate was issued by Let's Encrypt
  • ensure there is not already a CAA record

Create:

/root/add_caa.sh

and add code:

bash
#!/bin/sh
CAA_VALUE='0 issue "letsencrypt.org"'
ZONE_DIR=`da config-get nameddir`
for cert in `ls /usr/local/directadmin/data/users/*/domains/*.cert`; do {
        domain=$(basename "$cert" .cert)
        zone_file=$ZONE_DIR/$domain.db
        if [ ! -s "$zone_file" ]; then
                echo "No zone for $cert, skipping."
                continue;
        fi

        if ! issuer=$(openssl x509 -in "$cert" -noout -issuer 2>/dev/null); then
                echo "INVALID: $cert"
                continue
        fi

        if ! grep -qi "Let's Encrypt" <<< "$issuer"; then
                echo "SKIP: $domain is not issued by Let's Encrypt"
                continue
        fi

        if grep -Eiq 'CAA.*letsencrypt\.org' "$zone_file"; then
                echo "CAA record already exists in $zone_file"
                continue
        fi

        echo "Adding CAA into $zone_file"
        da taskq --run "action=dns&do=add&domain=$domain&type=CAA&name=$domain&value=$CAA_VALUE&named_reload=yes"
};
done;
exit 0;

chmod the script to 755, and run it:

bash
chmod 755 /root/add_caa.sh
/root/add_caa.sh