.: ACME-CAA

Let's Encrypt recently introduced support for ACME-CAA.

I've now extended my existing CAA DNS entries with the ACME-CAA properties:

% dig +short -t CAA x-way.org
0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/68891730; validationmethods=http-01"
0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/605777876; validationmethods=http-01"

The effect of this is that Let's Encrypt will only grant a signed TLS certificate if the request comes from one of my two accounts (authenticated with the corresponding private key).
If the certificate request comes from a different account, no TLS certificate will be granted.
This protects against man-in-the-middle attacks, specifically against attacks where someone between Let's Encrypt and my server would be trying to impersonate my server to obtain a signed TLS certificate.

Addendum:
In case you're wondering where to get the accounturi value from, it can be found in your account file:

% cat /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json
{"body": {}, "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/605777876"}

blog comments powered by Disqus
Navigation
x-log
Archive
About
Blogs
mk
vowe.net
der Uninformat
Inliniac
To Linux and beyond!
#!/bin/blog
beetlebum
Su-Shee 2.0
Veni, Vidi, VISA
The Lone Sysadmin
Code as Craft
yelp Engineering
Wandering Thoughts
Thoughts on programming
eklitzke.org
rachelbythebay.com
Benjojo.co.uk
charity.wtf
danielmiessler.com
ieftimov.com
mdlayher.com
Krebs on Security
Troy Hunt
gru.gq
BrewDog
The Travelling Pigeon
Topics
Misc
Webdesign
Coding
Tech
Networking
Linux
School
Mac
NetBSD
Music
Cinema
Badges
Food