Free SSL certificates at smarthost.eu and DNS zone at a third-party provider

On our hosting platform, SSL certificates are issued automatically when the domain is attached as well as renewed automatically before the expiration period (free certificates are issued for 3 months and our system makes sure that they are renewed regularly).

Certificates are generated automatically when we perform a classic basic configuration:

  • connect domains in cPanel at smarthost.eu
  • set up DNS servers on smarthost.eu

Sometimes it happens that we have a more complex configuration – for example, the mail is on the hosting server of company A, and the website is on the server of company B. In most companies this is not a problem, but there are exceptions. For example, if the DNS servers point to company X, and the website is pointed to a different server (via the so-called A record), the free SSL certificate may not issue or renew. Why does this happen, and how can it be remedied?

CAA records in the DNS system

Some time ago, a new record called CAA (Certification Authority Authorization) was added to the DNS system. This is a record in the DNS zone that describes which authorities can issue SSL certificates for a given domain.

Most DNS systems do not add this record – so there are no problems with issuing both paid and free certificates from any trusted provider.

However, some companies automatically add the following entries to their DNS system:

customer-domain.eu. 3600 IN CAA 0 issue “certum.eu”
customer-domain.eu. 3600 IN CAA 0 issue “letsencrypt.org”
customer-domain.eu. 3600 IN CAA 0 issuewild “letsencrypt.org”
customer-domain.eu. 3600 IN CAA 0 issuewild “certum.eu”

The above entries mean that only SSL certificates signed by Certum.eu and Let’s Encrypt can be issued for a domain whose DNS servers are set to Company X. Regardless of the fact that the A record points to a server other than the one operated by Company X, the key is the DNS entry.

Default CAA entries that block the issuance of certificates other than those indicated mostly cannot be removed in the domain management system.

Solution to CAA lockout problem

At smarthost.eu, the default and automatic free SSL certificate is a certificate signed by one of the world’s largest certification centers, i.e. Comodo (which recently changed its name to Sectigo). To allow us to issue an SSL certificate, you need to add an entry:

customer-domain.eu. 3600 IN CAA 0 issue “comodoca.com”

After adding this entry, you must wait for the so-called DNS propagation time – for all servers in the world to notice the change, which in practice takes up to 24 hours at most. From then on, the free certificate will be issued by smarthost.eu automatically and will also renew automatically.