Enhance Blah DNS SSL Certificate to avoid America Certificate Authority Authorization (CAA)

We have … Let’s encrypt problem

As of April 2021, suddenly there are a lot of sites which rely on Let’s Encrypt CAA to provide free SSL certs for 90 days. However, here is how nightmare happened due to DST Root CA X3 happened on Sept. 30 2021.

Here are some point of view collected from the internet.

  1. https://www.reddit.com/r/sysadmin/comments/hqjmmb/comment/fxydhrf
  2. https://scotthelme.co.uk/lets-encrypt-old-root-expiration/
  3. https://community.letsencrypt.org/t/ocsp-int-x3-letsencrypt-org-is-not-working-in-china/118552
  4. https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190
  5. https://blog.user.today/free-ssl-victim-dst-root-ca-x3 (Chinese version)

Let’s look up for alternative which isn’t that popular, same as Let’s Encrypt and provide at least same functionality as Let’s Encrypt. Here are the result that I think may fit my needs.

Zero SSL

ZeroSSL is based in Europe (UK and Austria) and offers a limited number of free TLS/SSL certificates with a lifetime of 90 days.

ACME client acme.sh choose Zero SSL as default provider starting from August 1, 2021

It may protect you from

  1. United Stated American company force you to fulfill their regulation.
  2. Root provided by Sectigo (UK).
  3. Reduce risk from top 1 CA provider.
  4. Zero SSL can issue certificates for IP address, which is better for the default configuration of Nginx / Apache to prevent network scanners like shodan.io

BuyPass GO SSL

A Norway-based certificate authority offering free SSL certificates valid for 180 days (Technical specifications). No wildcard certificates.

ACME directory URL: https://api.buypass.com/acme/directory

Chains up to “Buypass Class 2 Root CA” valid until 2040

DNS CAA: buypass.com

Rate limits: 20 per registered domain/week, 5 duplicate certificates/week

First, Add CAA record in the DNS resolver.

dot-ch.blahdns.com example: https://crt.sh/?id=6679935109

❯ dig blahdns.com CAA @ +short
0 issue "letsencrypt.org"
0 issuewild "comodoca.com"
0 issuewild "letsencrypt.org"
0 issue "buypass.no"
0 issue "buypass.com"
0 issuewild "buypass.no"
0 issuewild "buypass.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issue "comodoca.com"

Learn more about what is CAA type on DNS record

  1. https://geekflare.com/dns-caa-record/
  2. https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/caa-records

Acme.sh setup

# https://github.com/acmesh-official/acme.sh/wiki/Server

acme.sh --server buypass \
        --register-account  --accountemail [email protected]

acme.sh --server buypass --days 170 --standalone  --issue -d doh.blahdns.com -d blahdns.com

acme.sh --renew -d blahdns.com

If you got error below, which mean you have to add CAA record to your DNS

Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:compound","detail":"Some of the identifiers requested were rejected ","subproblems":[{"type":"urn:ietf:params:acme:error:caa","detail":"Domain is rejected due to CAA forbids issuance","identifier":{"type":"dns"},"code":0},{"type":"urn:ietf:params:acme:error:caa","detail":"Domain is rejected due to CAA forbids issuance","identifier":{"type":"dns"},"code":0}],"code":403,"message":"COMPOUND","details":"HTTP 403 Forbidden"}

Last updated at: May 29, 2022