Block Let's Encrypt validation protocol for clients on guest network

Question

I've setup a guest network behind the same public IP as a home web server running Seafile, communication between it and the clients is secured by the HTTPS protocol using a certificate signed by a local root CA.

How can I stop clients on the guest network from issuing certificates for the web server's domain using a service like Let's Encrypt on my behalf? I don't know how the validation process works for those sort of services, but I'd imagine that you need to be a able to send a receive packets from that address in the first place.

Thanks!

Disable their ability to manage your and and/or web servers. — Jacob Evans, Nov 14 '17 at 05:02
@user430214 that'd be implementation specific. I'd like to know if there's a standard way of doing it. — Facundo, Nov 14 '17 at 05:05

score 1 · Accepted Answer · answered Nov 13 '17 at 20:50

If you want to block letsencrypt (or any CA) issuing for you domain, then publish a CAA record within your domain.

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

So if you want to block all CAs you could add a record like

example.com.    IN      CAA     0 issue ";"

Block Let's Encrypt validation protocol for clients on guest network

1 Answers1