HubSpot should return CAA records for domains so that SSL certificates can be issued without the customer needing to alter root CAA records. More info: We added domains for landing pages and emails, and after adding the required CNAME and completing verification, got an error saying that an SSL certificate couldn't be generated as HubSpot's certificate provider, Digicert (the CA) didn't have permission. The instructions say to add Digicert to our root domain's CAA record, but this is bad advice as we have specifically set our CAA records to our own CA, and adding HubSpot's CA would allow that to be used for any sub-domains that we have anywhere else. As HubSpot have provided a CNAME record, they can control the CAA record in the same way as the A record that's already provided. CAA records are hierarchical for exactly this reason. This would mean that their chosen CA would always be accepted, and no customer would need to alter any CAA records. Our interim fix is to create domains in Hubspot which use a second sub-domain level, e.g. email.hub.example.com, so that we can add CAA records on hub.example.com rather than alter our root CAA. Then if/when HubSpot start providing the CAA record for the CNAME, the higher level will not be needed, but there is no break or impact.
... Mehr anzeigen