CAA records are DNS records attached to domains that specify precisely which certificate authorities are allowed to issue certificates for your domain. If your domain does not carry any CAA records, our systems will not have a problem issuing your certificate. If, however, your domain has CAA records on file but none for
sectigo.com as an allowed certificate authority, our system will not be able to issue your certificate.
If you are seeing the error message shown above, please take one of the following steps:
- either: remove all CAA records from your domain(s)
- or: add a new CAA record to your domain(s) with
Adding CAA Records
In order to add CAA records that will allow ZeroSSL to issue certificates for your domain, please log in to your domain or hosting provider, navigate to the DNS management section and add a set of CAA records as shown in the examples below.
Note: In some instances, you need to remove the CA Record from the web host as well as the domain host.
Allow ZeroSSL certificates for site.com, including any subdomains as well as wildcards.
site.com. 3600 IN CAA 0 issue "sectigo.com" site.com. 3600 IN CAA 0 issuewild "sectigo.com"
Allow ZeroSSL certificates for example.com, including any subdomains but not including wildcards.
site.com. 3600 IN CAA 0 issue "sectigo.com" site.com. 3600 IN CAA 0 issuewild ";"
Allow ZeroSSL certificates for page.site.com only, not including the root domain, any subdomains as well as wildcards.
page.site.com. 3600 IN CAA 0 issue "sectigo.com" site.com. 3600 IN CAA 0 issuewild ";" site.com. 3600 IN CAA 0 issue ";"
Troubles with CAA records?
Before contacting us please try the following three things:
- Check out your currently CAA records here:
CAA Record Checker
- Visit this Troubleshooting article for further help!!
- Please check for an ongoing service incident.