[英]Why I need an SSL certificate and SXG certificate separately to enable Signed Exchange for my website?
[英]Why can't I issue a SSL/TLS certificate for a subdomain of a Read The Docs website?
我有一个网站位于docs.example.com
类的子域中。
我想在something.docs.example.com
之类的子域中创建另一个网站。 我想使用 AWS Certificate Manager (ACM) 为该子域颁发 SSL/TLS 证书,但由于 CAA 记录而引发错误。
问题是docs.example.com
是指向readthedocs.io
的 CNAME。
当证书颁发机构查询域名并找到 CNAME 记录时,CA 应该在 CNAME 目标中查找 CAA 记录。
如果我使用命令dig caa docs.example.com
查询 CAA 记录,我会得到以下响应:
;; QUESTION SECTION:
;docs.example.com. IN CAA
;; ANSWER SECTION:
docs.example.com 300 IN CNAME readthedocs.io.
readthedocs.io. 3600 IN CAA 0 issue "comodoca.com"
readthedocs.io. 3600 IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"
readthedocs.io. 3600 IN CAA 0 issue "letsencrypt.org"
readthedocs.io. 3600 IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
readthedocs.io. 3600 IN CAA 0 issuewild "comodoca.com"
readthedocs.io. 3600 IN CAA 0 issuewild "digicert.com; cansignhttpexchanges=yes"
readthedocs.io. 3600 IN CAA 0 issuewild "letsencrypt.org"
readthedocs.io. 3600 IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
请注意,AWS ACM 不是 CAA 记录中列出的 CA 之一。 要解决此问题,这四个 Amazon CA 域之一需要有 CAA 记录:
amazon.com
amazontrust.com
awstrust.com
amazonaws.com
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.