Let’s Encrypt

How-to prevent Let’s Encrypt from issuing a certificate for your domain

Are you acquiring your certificates from a certificate authority other than Let’s Encrypt? Now you can block Let’s Encrypt and certificate authorities other than the ones you actually have a relationship with from misissuing certificates for your domain. All it takes are a few extra DNS records.

Let’s Encrypt has automated the certificate issuance and renewal process entirely and has lowered the cost and technical barrier to deploying client-to-server encryption on the web. Certificates are issued for any domain that can pass a set of challenges, which revolve around around demonstrating control over the standard port for web traffic (TCP 80) for a given domain’s A or AAAA (IPv4 or IPv6) records.

As an additional security measure, Let’s Encrypt will also check and verify any CAA records for the domain stored in DNS. CAA, or certificate authority authorization records, are a set of instructions specifically for CAs that can be used to grant exclusive issuance permissions to one or more CAs.

Let’s Encrypt was one of the very first CAs to implement checks for CAA records. They will query DNS for CAA records from multiple geographically dispersed locations around the worlds. If any conflicting CAA records is found, than they will refuse to issue a certificate for a domain. If you’ve configured multiple DNS service providers to act as nameservers for your domain, than Let’s Encrypts approach helps protect your domain even if one nameserver may have been compromised by an attacker.

Assuming you only want to block Let’s Encrypt and anyone but DigiCert from issuing certificates for your domain, you can let any CA that ask about this know using the following DNS records (shown below in BIND format):

example.com.  IN  CAA  0 issue "digicert.com"
example.com.  IN  CAA  0 issuewild ";"

The above example says that only a certificate authority that self-identifies as digicert.com can issue a certificate for the example.com domain. Furthermore it says that only a CA that identifies as an empty string (meaning no one) can issue a wildcard certificate for the domain.

There are a couple of more CAA records you should set which I go in to more detail about in a past article. You also need to set CAA records for any subdomain, including www, in addition to your root domain. You should review my previous article in detail before deploying any CAA records on your domains.

All CAs have agree to start checking CAA records by .