suggestion: if a CAA record exists for a domain, use it to decide what CA to use · acmesh-official/acme.sh#3990

(1 comment) (3 reactions) (0 assignees)Shell (46,562 stars) (5,568 forks)batch import

help wanted

Description

Related to https://github.com/acmesh-official/acme.sh/issues/3556 I would like to request that for domains which have published (as a CAA record) a preference for a certain CA, that ACME server would be set as the default for that domain.

What actually happened: I noticed this when I was trying to troubleshoot an unrelated deploy issue. I cloned a brand-new .acme.sh directory, and did a clean issue of my domain. Then, the certificate was issued using zerossl.

What I would like to happen: The acme.sh script should first check for CAA records for the given domain. If one is found, and the issue or issuewild tags are present (depending on if the requested certificate is a wildcard), the tag (or tags) should be checked against the list of ACME servers. If there's a match, that server should be preferred for that domain.

Contributor guide

Tech stack: shell
Domain: devops
Issue type: feature
Difficulty: 3
Estimated time: 1-2 days
Activity status: stale
Clarity: clear
Prerequisites: shell scriptingDNS CAA recordsACME protocol basicsacme.sh codebase familiarity
Newbie friendliness: 45
Research direction: Investigate how acme.sh currently selects the default CA (likely in the main acme.sh script). Look into existing DNS query functions (e.g., using dig) to retrieve CAA records. Review related issue #3556 for additional context. Consider implementing a preference for the CA specified in CAA 'issue' or 'issuewild' tags over the default ZeroSSL server.