when suggesting CAA records for a domain, suggest variants that bind to the account id and with validation methods used by mox

should prevent potential mitm attacks. especially when done close to the machine itself (where a http/tls challenge is intercepted to get a valid certificate), as seen on the internet last month.
2025-07-12 23:34:38 +03:00 · 2023-12-21 15:16:30 +01:00
parent ca97293cb2
commit db3fef4981
11 changed files with 123 additions and 28 deletions
--- a/quickstart.go
+++ b/quickstart.go
@ -609,8 +609,9 @@ many authentication failures).
 	if !existingWebserver {
 		sc.ACME = map[string]config.ACME{
 			"letsencrypt": {
-				DirectoryURL: "https://acme-v02.api.letsencrypt.org/directory",
-				ContactEmail: args[0], // todo: let user specify an alternative fallback address?
+				DirectoryURL:     "https://acme-v02.api.letsencrypt.org/directory",
+				ContactEmail:     args[0], // todo: let user specify an alternative fallback address?
+				IssuerDomainName: "letsencrypt.org",
 			},
 		}
 	}
@ -893,7 +894,7 @@ configured correctly.
 	// priming dns caches with negative/absent records, causing our "quick setup" to
 	// appear to fail or take longer than "quick".

-	records, err := mox.DomainRecords(confDomain, domain, domainDNSSECResult.Authentic)
+	records, err := mox.DomainRecords(confDomain, domain, domainDNSSECResult.Authentic, "letsencrypt.org", "")
 	if err != nil {
 		fatalf("making required DNS records")
 	}