AutoSSL added CAA DNS record?

zodiac9797

Active Member
Apr 17, 2011
34
4
58
Hello,
just noticed that some of our clients have CAA record in their DNS zone record.
We didn't add this record neither did client.
The only thing I can recall is clicking "issue AutoSSL for this account" to "force" immediate AutoSSL for the domain. Is it possible that this action added CAA record??

DNS record: xxx.xxx.xxx. 86400 IN CAA 0 issue comodoca.com

This was discovered because the client tried to issue a new certificate and the DNS record didn't allow this.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @zodiac9797,

Yes, this is part of the AutoSSL feature as of cPanel & WHM version 76:

AutoSSL preflight check for CAA records
In cPanel & WHM version 76, we added a preflight check to AutoSSL. This check adds a Certificate Authority Authentication (CAA) record in the domain's zone file before AutoSSL orders a new certificate for that domain.

For more information, read our Manage AutoSSL documentation.
Can you provide more information about the problem this led to?

Thank you.
 

zodiac9797

Active Member
Apr 17, 2011
34
4
58
Hello @zodiac9797,
Yes, this is part of the AutoSSL feature as of cPanel & WHM version 76:
Can you provide more information about the problem this led to?
Thank you.
Hi @cPanelMichael, we have a client hosted on our server (cPanel account) but for the web he is using another service. We have added an A record to his domain DNS zone to "redirect" his domain to another web hosting service (diferent server / IP address). He is still using our mail server and other things, but for web site he is using another company.

The problem is that they use 'Let's Encrypt' SSL, and everything was working fine for the last year or so, but now when certificate expired their service was unable to renew it since there was a CAA record which limited his domain to comodo certificate.

Basically the problem is when client has cPanel account on one server and use DNS record to redirect www. to another server which use diferent SSL certificate. I believe that the same problem will be with the MX record...

Please let me know if I didn't explain the problem well enough.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @zodiac9797,

we have a client hosted on our server (cPanel account) but for the web he is using another service. We have added an A record to his domain DNS zone to "redirect" his domain to another web hosting service (diferent server / IP address). He is still using our mail server and other things, but for web site he is using another company.
SSL certificates issued through the AutoSSL feature are only intended for domains that resolve to the cPanel & WHM server. In this case, you'll need to exclude the domain and it's subdomains from the AutoSSL feature using the SSL/TLS Status option in cPanel. This will prevent the AutoSSL pre-flight check from generating the CAA records in the domain's DNS zone.

You can remove any existing CAA records through WHM's Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone) or through cPanel's Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).

Thank you.