suggestion: if a CAA record exists for a domain, use it to decide what CA to use

[bjmgeek]

Related to https://github.com/acmesh-official/acme.sh/issues/3556 I would like to request that for domains which have published (as a CAA record) a preference for a certain CA, that ACME server would be set as the default for that domain.

What actually happened: I noticed this when I was trying to troubleshoot an unrelated deploy issue. I cloned a brand-new .acme.sh directory, and did a clean issue of my domain. Then, the certificate was issued using zerossl.

What I would like to happen: The acme.sh script should first check for CAA records for the given domain. If one is found, and the issue or issuewild tags are present (depending on if the requested certificate is a wildcard), the tag (or tags) should be checked against the list of ACME servers. If there's a match, that server should be preferred for that domain.

[Widmo]

I agree that this is a good idea, this could still be combined with checking the CAA before asking for a certificate to be generated.

Example from now: I requested SSL from zerossl, the script took about 5 minutes to execute while waiting for the certificate. Second run same thing.

And after changing to BuyPass ssl, their api responded immediately:

{ "type": "urn:ietf:params:acme:error:caa", "detail": "Domain is rejected due to CAA forbids issuance", "code":403, "message": "CAA", "details": "HTTP 403 Forbidden"}

Checking CAA at the outset, might be a super idea.