2018/12/29 16:44:30 Could not obtain certificates acme: Error -> One or more domains had a problem: [www.niem.es] acme: Error 403 - urn:ietf:params:acme:error:caa - Error finalizing order :: Rechecking CAA: While processing CAA for niem.es: CAA record for niem.es prevents issuance, While processing CAA for www.niem.es: CAA record for www.niem.es prevents issuance
Alas, no email received from them either.
If you own a domain, you should certainly configure CAA. It appears to work and is another preventive control against phishing.
One of the things I do when examining a website is to run it through Qualys’s SSL Labs Server Test. It does not provide a ‘security’ score per-se, but can be a good first step in making sure sessions are end-to-end encrypted between your users & your website.
TLS v1.1 and greater have known vulnerabilities, so it’s important to disallow them and prevent eavesdropping
As for CAA, I originally thought this was to prevent man-in-the-middle (MitM) attacks, but reading the RFC says otherwise:
The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify the Certification
Authorities (CAs) authorized to issue certificates for that domain.
Publication of CAA Resource Records allows a public Certification
Authority to implement additional controls to reduce the risk of
unintended certificate mis-issue.
Digging a bit deeper, it appears the CAA RFC supports something interesting called IODEF. So of course, I had to see if I could activate it.
That’s something I’ll be testing in a future post.
Update: I’m now at A+:
29 Dec 2019
How? I looked at other sites that were receiving A+ ratings and didn’t find many differences – key exchange was the same (rsa 2048) and they had ciphers that were 128 bits as well (similar to my site). HSTS was the big difference, and so I added this to my httpd.conf under the :443 virtual server:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
