Hello, Thank you for your reply. Yes I did get it fixed, I had to turn off some cloudflare settings so it didn't make the extra records deleted and recreated the CAA record and it is now working. I'm using Cloudflare for hosting my domains pointing them to my vps. I rather like them, they have really cut my costs. Thanks. Dave. On 7/1/2024 6:14 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
Hope you got it fixed. What are you using Cloudflare for? I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains). When I worked for a large company we were seriously looking at using their content delivery network with their reverse proxy, but that certainly wasn't a free solution, though I think some of it is at consumer level pricing now.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Thursday, June 27, 2024 12:39 AM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks that sounds like exactly what is happening. Now I'm off to confirm it and fix it.
Thanks. Dave.
On 6/26/2024 5:59 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/
CAA records added by Cloudflare Cloudflare adds CAA records automatically in two situations:
When you have Universal SSL enabled and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges. These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
Sounds like that is what is happening here.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 6:15 PM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks for your reply. Here's what is in my Cloudflare record on there site:
Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org
That's what is in the record stuff I entered. On the main page it shows:
CAA davemehler.com 0 issue letsencrypt.org
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com"
Thanks. Dave.
On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org -- Sent from Mozilla Thunderbird 91.13.1
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org -- Sent from Mozilla Thunderbird 91.13.1
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org