Enhance BlahDNS SSL Certificate to avoid America Certificate Authority Authorization (CAA)

We have … Let’s encrypt problem before

  1. https://www.reddit.com/r/sysadmin/comments/hqjmmb/comment/fxydhrf
  2. https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

How about Zero SSL

Finally, Buypass SSL

Norwegian certificate authority offering free SSL certificates valid for 180 days (Technical specifications). No wildcard certificates.

ACME directory URL: https://api.buypass.com/acme/directory

Chains up to “Buypass Class 2 Root CA” valid until 2040

DNS CAA: buypass.com

Rate limits: 20 per registered domain/week, 5 duplicate certificates/week.

https://www.buypass.com/ssl/resources/caa

First, Add CAA record in to DNS resolver.

dot-ch.blahdns.com example: https://crt.sh/?id=5636879379

❯ dig blahdns.com CAA @9.9.9.9 +short
0 issue "letsencrypt.org"
0 issuewild "comodoca.com"
0 issuewild "letsencrypt.org"
0 issue "buypass.no"
0 issue "buypass.com"
0 issuewild "buypass.no"
0 issuewild "buypass.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issue "comodoca.com"

Learn more about what is CAA type on DNS record

  1. https://geekflare.com/dns-caa-record/
  2. https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/caa-records

Acme.sh setup

# https://github.com/acmesh-official/acme.sh/wiki/Server

acme.sh --server buypass \
        --register-account  --accountemail [email protected]

acme.sh --server buypass --days 170 --standalone  --issue -d doh.blahdns.com -d blahdns.com

acme.sh --renew -d blahdns.com

If you got error below, which mean you have to add CAA record to your DNS

Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:compound","detail":"Some of the identifiers requested were rejected ","subproblems":[{"type":"urn:ietf:params:acme:error:caa","detail":"Domain is rejected due to CAA forbids issuance","identifier":{"type":"dns"},"code":0},{"type":"urn:ietf:params:acme:error:caa","detail":"Domain is rejected due to CAA forbids issuance","identifier":{"type":"dns"},"code":0}],"code":403,"message":"COMPOUND","details":"HTTP 403 Forbidden"}

ZeroSSL as alternative

ZeroSSL is a Austrian certificate authority offering free certificates valid for 90 days using root provided by Sectigo (UK).

So far, ACME client acme.sh use ZeroSSL as default provider. It may protect you from United Stated American company force you to fulfill their regulation.