Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL added CAA DNS record?

Discussion in 'Security' started by zodiac9797, Feb 4, 2019.

Tags:
  1. zodiac9797

    zodiac9797 Active Member

    Joined:
    Apr 17, 2011
    Messages:
    34
    Likes Received:
    4
    Trophy Points:
    58
    Hello,
    just noticed that some of our clients have CAA record in their DNS zone record.
    We didn't add this record neither did client.
    The only thing I can recall is clicking "issue AutoSSL for this account" to "force" immediate AutoSSL for the domain. Is it possible that this action added CAA record??

    DNS record: xxx.xxx.xxx. 86400 IN CAA 0 issue comodoca.com

    This was discovered because the client tried to issue a new certificate and the DNS record didn't allow this.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,283
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @zodiac9797,

    Yes, this is part of the AutoSSL feature as of cPanel & WHM version 76:

    Can you provide more information about the problem this led to?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. zodiac9797

    zodiac9797 Active Member

    Joined:
    Apr 17, 2011
    Messages:
    34
    Likes Received:
    4
    Trophy Points:
    58
    Hi @cPanelMichael, we have a client hosted on our server (cPanel account) but for the web he is using another service. We have added an A record to his domain DNS zone to "redirect" his domain to another web hosting service (diferent server / IP address). He is still using our mail server and other things, but for web site he is using another company.

    The problem is that they use 'Let's Encrypt' SSL, and everything was working fine for the last year or so, but now when certificate expired their service was unable to renew it since there was a CAA record which limited his domain to comodo certificate.

    Basically the problem is when client has cPanel account on one server and use DNS record to redirect www. to another server which use diferent SSL certificate. I believe that the same problem will be with the MX record...

    Please let me know if I didn't explain the problem well enough.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,283
    Likes Received:
    2,154
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @zodiac9797,

    SSL certificates issued through the AutoSSL feature are only intended for domains that resolve to the cPanel & WHM server. In this case, you'll need to exclude the domain and it's subdomains from the AutoSSL feature using the SSL/TLS Status option in cPanel. This will prevent the AutoSSL pre-flight check from generating the CAA records in the domain's DNS zone.

    You can remove any existing CAA records through WHM's Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone) or through cPanel's Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice