Let's Encrypt ACME-CAA

Enabling ACME CAA Account and Method Binding.
Certification Authority Authorization (CAA), specified by RFC 8659 , is a feature that allows ACME clients to use a specific DNS record
to limit which Certificate Authorities are allowed to issue for that domain name. Let's Encrypt has supported CAA for many years, and
support for it is mandated by the Baseline Requirements for all CAs.

Account Binding and Validation Method Binding are two extensions to CAA specified by RFC 8657.
Subscribers who wish to limit the sets of domain control validation methods (i.e. DNS-01, HTTP-01, and/or TLS-ALPN-01) which can be
used to demonstrate control over their domain name can include those methods in the "validationmethods" parameter of their CAA records.

Subscribers who wish to limit issuance to a specific ACME account can include that account's unique URL (as returned by the new endpoint with onlyReturnExisting set)
in the "accounturi" parameter of their CAA records.

Please see the RFCs linked above for exact specifications of the proper format of a CAA record.

These features have been enabled in Staging for a significant amount of time (over a year). We do not expect to see any breakages as a
result of enabling them in Production. If you observe any unexpected failures, please double-check your CAA records. If that does not
resolve your issue, as always please post in the Help category of this forum.

Source: https://community.letsencrypt.org/t/enabling-acme-caa-account-and-method-binding/189588/3

CAA record for charlotte.edu
https://caatest.co.uk/charlotte.edu
---
0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1726001367"
0 issue "amazon.com"
0 issue "godaddy.com"
0 issue "digicert.com"
128 iodef "mailto:hostmaster@uncc.edu"
0 issue "sectigo.com"

What is my Let'sEncrypt account number?
$ sudo certbot show_account
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account details for server https://acme-v02.api.letsencrypt.org/directory:
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/1726001367
Email contact: someuser@charlotte.edu

We don't allow Let'sEncrypt to issue certificate for our domains,but we allow specific accounturi.
This site is an example of Let'sEncrypt ACME-CAA.

Certificate issued by Let'sEncrypt by using a above accounturi
Certificate info for: acme-lecaa.charlotte.edu:443
CN and SANs info:
acme-lecaa.charlotte.edu

Issue/expiration dates:
notBefore=May 17 16:55:28 2024 GMT
notAfter=Aug 15 16:55:27 2024 GMT

Serial Number:
03:b0:fd:36:69:4f:57:64:aa:eb:ef:2d:23:28:51:b1:91:86

Public Key:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey

Intermediate Certificate Check:
issuer=C=US, O=Let's Encrypt, CN=R3

ACME CAA
ACME-CAA adds a new layer to the CAA record, specifying not just which certificate authority (CA)
can issue certificates for a domain, but also which account within that CA is authorized to do so. For example:

example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://some/lets-encrypt/account-id"

This strengthens security by preventing attackers from easily obtaining certificates, even if they trick a CA like Let's Encrypt
into thinking they control the domain. The CAA record ensures that only a designated account can request a certificate,
and it limits the CA to Let's Encrypt.

In the ACME protocol used by Let's Encrypt, an account is like a secret key that proves ownership of the domain.
Only someone with this key can get certificates, with a few exceptions.

Here is an excellent article by Hugo Landau (OpenSSL project) on this topic. https://www.devever.net/~hl/acme-caa-live