How to fix DNS CAA issue on SSL Labs Test

You ran the SSL Labs Analyzer on your domain name, and you got a DNS CAA Issue.  You want to solve it, because your goal is to get the A+ Rating from Qualys.

How to fix that?

You need to add a CAA Entry in your DNS.

What is a CAA DNS entry?

That entry tells which certificate authority delivered your SSL certificate.  If someone hack your ssl certificates with certs not in your liste of “known” providers, it will be an indication that your site may have been modified by someone else.

The blog you currently read is hosted on AWS EC2 infrastructure.  The DNS is sold and managed by AWS Route 53 services, and we got our SSL certificates free from Letsencrypt.

So, I’ll explain you how enable your CAA DNS setting based on these prerequisites.  The procedure is the same for any other SSL seller and DNS service.

Step-by-step configuration

  • In your Route 53 console:
    • select your domain name
    • Click “Create Record Set”
      • Leave name empty
      • Choose type: CAA
      • Enter value, in my case it was:
        [0 issue “letsencrypt.org”] (without brackets)

In addition, you can use that generator: https://sslmate.com/caa/ to obtain your value.
From that generator, just enter your domain name.
Next, click “Auto Generate Policy”.
The tool will look at your current SSL certificate.  Then, it will give you the desired value you should type in your CAA DNS entry.

Finally, wait a little for DNS propagation, and run the test again, and you will get a nice green status on your CAA test!

You can also test your CAA with that tool:
https://caatest.co.uk/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.