Invalid CAA Records

CAA records are DNS records attached to domains that specify precisely which certificate authorities are allowed to issue certificates for your domain. If your domain does not carry any CAA records, our systems will not have a problem issuing your certificate. If, however, your domain has CAA records on file but none for sectigo.com as an allowed certificate authority, our system will not be able to issue your certificate.

Troubleshoot: Invalid CAA Records

If you are seeing the error message shown above, please take one of the following steps:

  • either: remove all CAA records from your domain(s)
  • or: add a new CAA record to your domain(s) with sectigo.com as value

Adding CAA Records

In order to add CAA records that will allow ZeroSSL to issue certificates for your domain, please log in to your domain or hosting provider, navigate to the DNS management section and add a set of CAA records as shown in the examples below.

Note: In some instances, you need to remove the CA Record from the web host as well as the domain host.

Example #1:
Allow ZeroSSL certificates for site.com, including any subdomains as well as wildcards.

site.com. 3600 IN CAA 0 issue "sectigo.com"
site.com. 3600 IN CAA 0 issuewild "sectigo.com"

Example #2:
Allow ZeroSSL certificates for example.com, including any subdomains but not including wildcards.

site.com. 3600 IN CAA 0 issue "sectigo.com"
site.com. 3600 IN CAA 0 issuewild ";"

Example #3:
Allow ZeroSSL certificates for page.site.com only, not including the root domain, any subdomains as well as wildcards.

page.site.com. 3600 IN CAA 0 issue "sectigo.com"
site.com. 3600 IN CAA 0 issuewild ";"
site.com. 3600 IN CAA 0 issue ";"

Checking CAA Records

You can use different tools to check your CAA records: 

  • DNS CAA Tester enables you to see also CAA records on your Parent Domain
  • Google Dig can be used for identifying errors in the DNS Servers (for example; if you see SERVFAIL error, please reach out to your DNS provider as there might be an issue with the configuration or DNS Zone)

 

  Troubles with CAA records?

Before contacting us please try the following three things:

  1. Try the CAA checker as shown above
  2. Visit this Troubleshooting article for further help!!
  3. Please check for an ongoing service incident.


Was this article helpful?
0 out of 0 found this helpful