You ran the SSL Labs Analyzer on your domain name, and you got a DNS CAA Issue. You want to solve it, because your goal is to get the A+ Rating from Qualys.
How to fix that?
You need to add a CAA Entry in your DNS.
What is a CAA DNS entry?
That entry tells which certificate authority delivered your SSL certificate. If someone hack your ssl certificates with certs not in your liste of “known” providers, it will be an indication that your site may have been modified by someone else.
So, I’ll explain you how enable your CAA DNS setting based on these prerequisites. The procedure is the same for any other SSL seller and DNS service.
- In your Route 53 console:
- select your domain name
- Click “Create Record Set”
- Leave name empty
- Choose type: CAA
- Enter value, in my case it was:
[0 issue “letsencrypt.org”] (without brackets)
In addition, you can use that generator: https://sslmate.com/caa/ to obtain your value.
From that generator, just enter your domain name.
Next, click “Auto Generate Policy”.
The tool will look at your current SSL certificate. Then, it will give you the desired value you should type in your CAA DNS entry.
Finally, wait a little for DNS propagation, and run the test again, and you will get a nice green status on your CAA test!
You can also test your CAA with that tool: