Short.io provides SSL certificates for short links for free. After adding a domain to Short.io, you need to wait up to one hour until HTTPS for short URLs is activated.
Sometimes SSL certificate cannot be activated, due to an issue with domain configuration. When setting up a short domain for Short.io, A-records that point to Short.io IP addresses take place.
Along with A-records, a Certification Authority Authorization (CAA) record may also be listed. Adding CAA into a domain setup is not mandatory; however, certain companies choose to utilize it.
Sometimes, CAA records may interrupt a correct configuration of the SSL-certificate on Short.io.
What is a CAA record?
A Certification Authority Authorization (CAA) record designates the specific certificate authorities (CAs) permitted to issue a certificate for a given domain. If no CAA record is specified, any certificate authority is allowed.
Note: At Short.io we mainly use Let's Encrypt and Zero SSL as certification authority.
CAA record configuration
CAA records can set policy for the entire domain or subdomains. Subdomains inherit values of CAA records. Therefore, a CAA record set on a short domain also applies to any subdomain, such as subdomain.short.domain. To set allowance for another CA for subdomain.short.domain, a separate CAA record must be added.
To allow the issuance of an SSL certificate for a given short domain to a certificate authority, you should add a CAA record to the domain in your Registrar's settings.
Note: Although the instructions below use Cloudflare's settings as an example, they can provide you with general idea how to setup the CAA record at your Registrar.
To configure CAA for your domain
In your Registrar's platform, open the DNS settings of the short domain/subdomain.
Add a CAA record:
<your-domain-name> CAA 0 issue "letsencrypt.org"
Configure the record to contain the name of the CA, for example:
Save the changes.
It takes up to one hour until HTTPS for short URLs is activated.
For more information on CAA records please refer to: https://support.dnsimple.com/articles/caa-record/
Why is your SSL certificate not working?
Sometimes, your Let's Encrypt CAA record might fail the certification checks for various reasons. In these situations, we can transition to ZeroSSL provided that an additional ZeroSSL CAA record is also included as a backup.
Create a second CAA record to prevent failures:
<your-domain-name> CAA 0 issue "zerossl.com"