acmeproxy icon indicating copy to clipboard operation
acmeproxy copied to clipboard

Published 20 hours ago verified publisher icon catalyst

"Early renewals" expose CAA handling bug

Open fincham opened this issue 7 years ago • 0 comments

It's possible to request an "early renewal" where LE just checks the CAA record but doesn't require re-publishing a challenge. Currently this results in NXDOMAIN, and LE refusing to issue the cert.

Fix this by allowing CAA lookups for any expired challenges, but not the challenge responses.

fincham avatar Jun 24 '18 23:06 fincham