Overview
Opensense leverages Let’s Encrypt to issue and automatically renew SSL/TLS certificates used for hosted content served over HTTPS via custom CNAMEs provided by customers. This ensures secure communication, while offloading the management overhead of certificate provisioning and expiration.
These certificates are typically valid for 90 days and are renewed automatically every 60–90 days, ensuring seamless and continuous encryption for customer-branded content and links.
Customer CNAME Requirements
When a customer configures a CNAME record to point to Opensense-hosted infrastructure (e.g., for branded link tracking or email assets), Opensense initiates a certificate request through Let's Encrypt using the customer's domain.
For successful SSL issuance, Let’s Encrypt must be authorized to issue certificates for that domain. This typically requires no action unless the customer has restricted Certificate Authorities via DNS CAA records.
DNS CAA Records and Why They Matter
A CAA (Certificate Authority Authorization) record is a type of DNS record that controls which Certificate Authorities (CAs) are permitted to issue SSL certificates for a given domain.
If a customer has configured a CAA record that does not include Let’s Encrypt, then certificate issuance will fail, and HTTPS content served via their CNAME will be inaccessible.
CAA Record Required for Let's Encrypt
Customers using CAA records must explicitly authorize Let's Encrypt with the following DNS CAA record:
example.com. CAA 0 issue "letsencrypt.org"
To support wildcard certificates (if applicable), they should also include:
example.com. CAA 0 issuewild "letsencrypt.org"
Note: Replace example.com with the customer’s actual domain (the root of the domain they are CNAME-ing from).
When to Update CAA Records
Customers need to update their DNS CAA records only if:
They already have a CAA record defined (i.e., their domain is locked down to specific CAs).
Their current record does not include Let’s Encrypt as an authorized CA.
If no CAA records exist, all CAs (including Let’s Encrypt) are permitted by default, and no action is needed.
Supporting Documentation from Let’s Encrypt
Let’s Encrypt CAA Overview:
https://letsencrypt.org/docs/caa/IETF RFC 8659 - CAA Record Specification:
https://datatracker.ietf.org/doc/html/rfc8659
Summary
Opensense fully manages the lifecycle of SSL certificates for TLS-hosted content delivered via customer-configured CNAMEs using Let's Encrypt. Customers with advanced DNS or security policies must ensure their CAA records allow issuance by Let’s Encrypt to avoid disruptions.
For any questions or assistance, Opensense support can work with your IT or DNS provider to verify proper configuration.
Opensense Support
For further assistance, contact Opensense Support:
Email: help@opensense.com
Knowledge Base: help.opensense.com