Editing new DNS CAA Records to use Wilcard SSL, is this a bug ?

Discussion in 'ISPConfig 3 Priority Support' started by etruel, Jul 27, 2019.

  1. etruel

    etruel Member HowtoForge Supporter

    I'll try to be as clear as I can. In this server I have debian 8.
    I'm trying to make a Let's Encrypt SSL Wildcard domain. I got it for the main domain: "fakturo.org", but no for "yipies.fakturo.org" that shows the clasic "Warning: Potential Security Risk Ahead"
    The website config is:

    After install 3.14p2 and edit the website SSL tab, two records CAA was inserted in it's DNS Zone.
    Number 2 Can be edited Well. I checked Use Wildcard SSL but nothing changed.

    Number 1 give an error on regex when I try to save.
    This is the first view when I go to edit.

    Then I check Use Wildcard SSL and save and gives that error. name_error_regex and changes the readonly field from '*.fakturo.org' to just '*'
    (The '*' seems to be the problem.)

    Can you point me in the right direction to get Let's Encrypt wildcard SSL ?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The CAA record is not directly related to the SSL cert or in other words, the purpose of a CAA record is to tell the SSL authority if it may issue a cert at all for your domain. If the CAA would have been wrong, then you would not have got an SSL cert from LE at all. As you got an SSL cert, your issue is not the CAA record. In ISPConfig you can not get wildcard LE SSL certs and that's why you did not get one. Wildcard SSL certs require DNS authentication and ISPConfig supports only webroot authentication.

    So there is no issue with CAA records here, ISPConfig just does not support wildcard LE certs yet due to the requirement of DNS auth. There are several posts about that in the forum btw.
    etruel and Taleman like this.
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    etruel likes this.
  4. etruel

    etruel Member HowtoForge Supporter

    Thanks guys,
    Very clear Till, and also Taleman on how to search specifically. I’ll research about make it manually.
    But the issue part, I still have a doubt, I’ve talked about I can’t edit the CAA record added automatically by ISPConfig with * by the ‘name_error_regex’ system notice. (I can’t add it a dot or anything)
    Is this ok because ISPConfig does not support wildcard LE certs yet?

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Don't enter anything into the additional hostnames field, all you have to do is to tick the wildcard checkbox. As the description of the field says, it has to be empty for all hostnames.
  6. etruel

    etruel Member HowtoForge Supporter

    Additional hostnames is readonly. After tick the wildcard checkbox, I can’t save the record by the error.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Delete the record and recreate it. The reason for the error is that you entered *.fakturo.org into the additional hosts field.

Share This Page