Search K
Appearance
Appearance
CAA records (Certification Authority Authorization) are used to validate which certificates are allowed to be used for a given website. They're an added layer of security to ensure no 3rd party certiciates are used for the main domain, or subdomains.
The dns_caa variable should be enabled by default. To confirm it's status, run:
da config-get dns_caaIf it's not set to 1, enable it:
da config-set dns_caa 1 --restartA sample CAA record in a dns zone might look like:
domain.com. CAA 0 issue "letsencrypt.org"The default TTL of 3600 is fine, unless you plan on changing to some other certifiate soon, which case you should remove the record entirely, or lower to 300 seconds if you wish to keep the cord until the last moment.
We can use the letsencrypt_post hook to trigger adding a CAA record if a Let's Encrypt request or rewal is successful.
To do this, create the hook script here (create the directory first):
/usr/local/directadmin/scripts/custom/letsencrypt_post/caa.shand add contents:
#!/bin/sh
CAA_VALUE='0 issue "letsencrypt.org"'
TASKQ=/usr/local/directadmin/data/task.queue
CERT=/usr/local/directadmin/data/users/${username}/domains/${domain}.cert
if [ "$exit_code" -ne 0 ]; then
exit 0
fi
if [ "$action" != "request" ] && [ "$action" != "renew" ]; then
exit 0;
fi
if [ ! -s ${CERT} ]; then
exit 0;
fi
if ! issuer=$(openssl x509 -in "$CERT" -noout -issuer 2>/dev/null); then
exit 0;
fi
if ! grep -qi "Let's Encrypt" <<< "$issuer"; then
exit 0;
fi
echo "action=dns&do=add&domain=${domain}&type=CAA&name=${domain}.&value=${CAA_VALUE}" >> $TASKQ
exit 0If you wish to add CAA records for all current Let's Encrypt certificates which have an associated DNS zone, a script can be used. The script below will:
domain.com.cert filesCreate:
/root/add_caa.shand add code:
#!/bin/sh
CAA_VALUE='0 issue "letsencrypt.org"'
ZONE_DIR=`da config-get nameddir`
for cert in `ls /usr/local/directadmin/data/users/*/domains/*.cert`; do {
domain=$(basename "$cert" .cert)
zone_file=$ZONE_DIR/$domain.db
if [ ! -s "$zone_file" ]; then
echo "No zone for $cert, skipping."
continue;
fi
if ! issuer=$(openssl x509 -in "$cert" -noout -issuer 2>/dev/null); then
echo "INVALID: $cert"
continue
fi
if ! grep -qi "Let's Encrypt" <<< "$issuer"; then
echo "SKIP: $domain is not issued by Let's Encrypt"
continue
fi
if grep -Eiq 'CAA.*letsencrypt\.org' "$zone_file"; then
echo "CAA record already exists in $zone_file"
continue
fi
echo "Adding CAA into $zone_file"
da taskq --run "action=dns&do=add&domain=$domain&type=CAA&name=$domain&value=$CAA_VALUE&named_reload=yes"
};
done;
exit 0;chmod the script to 755, and run it:
chmod 755 /root/add_caa.sh
/root/add_caa.sh