Fixing CAA Records That Block Certificate Issuance
Fix CAA records that block SSL certificate issuance, including issue, issuewild, Let's Encrypt, wildcard certificates and inherited CAA problems.
Introduction
CAA records tell certificate authorities which issuers may create SSL/TLS certificates for your domain. If DNS does not authorize the CA you are using, issuance or renewal fails even when everything else is configured correctly.
This problem is common after switching from one SSL provider to another, enabling Let's Encrypt on a domain that previously allowed only a commercial CA, requesting wildcard certificates without issuewild, or publishing CAA with syntax errors at the wrong DNS hostname.
Quick answer
Check current CAA records with CAA Record Checker, identify the CA your SSL tool or CDN uses, add the correct issue record (and issuewild for wildcards), remove obsolete CA entries, confirm records are on the right hostname, wait for DNS TTL, then retry certificate issuance.
CAA records blocking issuance explained
Before issuing a certificate, public CAs query CAA for the domain. If CAA exists and does not authorize that CA, issuance is denied.
- issue tag controls standard hostname certificates
- issuewild controls wildcard certificates
- iodef can report unauthorized issuance attempts
- Let's Encrypt requires issue "letsencrypt.org"
- Wildcard certs need matching issuewild when CAA is present
- Old CA entries may remain after switching providers
- CAA on the wrong hostname has no effect on the intended domain
- Inherited CAA from parent zones can surprise subdomain issuance
- DNS provider formatting errors can publish invalid CAA values
If you do not need to restrict CAs, removing all CAA records allows any trusted CA to issue. Only use CAA when you intentionally want restriction.
Why this matters
A blocked certificate leaves HTTPS broken or stuck on an expiring cert. Auto-renewal fails, staging deploys break, and CDN edge SSL may not provision until CAA authorizes the correct issuer.
CAA is a useful security control when maintained, but outdated CAA is a frequent cause of renewal failures.
How to check CAA records
- Run CAA Record Checker on the exact hostname needing the certificate.
- List all issue, issuewild and iodef records returned.
- Identify the CA your panel, Certbot or CDN uses.
- Check whether wildcard issuance requires issuewild.
- Review parent domain CAA if the subdomain inherits policy.
- Confirm records are published at authoritative DNS, not an old provider.
- Retry issuance only after TTL and propagation.
Check CAA records
Use CAA Record Checker to see which certificate authorities are authorized to issue certificates for your domain.
Common problems
CAA allows wrong certificate authority
HighDNS authorizes DigiCert or Sectigo but you are requesting Let's Encrypt or a CDN CA.
Next step: Add the correct issue record for the CA you actually use.
issuewild missing for wildcard cert
HighA wildcard certificate was requested but only issue is defined.
Next step: Add issuewild for the same CA as the wildcard request.
CAA inherited from parent domain
MediumSubdomain issuance is restricted by parent zone CAA.
Next step: Publish explicit CAA on the subdomain or update parent policy intentionally.
DNS provider formats CAA incorrectly
MediumMissing flags, tag syntax or quotes produce invalid CAA answers.
Next step: Republish using your DNS provider's CAA field format.
Multiple conflicting CAA records
MediumSeveral issue records exist but the needed CA is not among them.
Next step: Add the required CA and remove obsolete entries.
Old CA remains after switching SSL provider
HighPrevious vendor CAA still blocks the new issuer.
Next step: Remove old CA entries and authorize the new provider.
CAA added at wrong hostname
MediumRecords were created on www or a subdomain instead of the issuance hostname.
Next step: Publish CAA on the domain the CA validates for certificate issuance.
Let's Encrypt not authorized
HighCAA exists but does not include letsencrypt.org.
Next step: Add CAA 0 issue "letsencrypt.org" or remove restrictive CAA if appropriate.
CDN certificate provider not authorized
HighEdge SSL uses a CA not listed in your CAA records.
Next step: Authorize the CDN CA in CAA or use a CDN SSL mode that matches your policy.
DNS not propagated yet
LowCAA was fixed recently but resolvers still return the old value.
Next step: Wait for TTL expiry and verify with CAA Record Checker before retrying.
How to fix
-
Step 1: Check current CAA records
Use CAA Record Checker and DNS Lookup to list issue, issuewild and iodef values.
-
Step 2: Identify certificate issuer
Confirm whether you use Let's Encrypt, a commercial CA, hosting AutoSSL or a CDN-provided certificate.
-
Step 3: Add correct issue record
Authorize the CA with a record such as CAA 0 issue "letsencrypt.org" when using Let's Encrypt.
-
Step 4: Add issuewild if wildcard needed
For wildcard certificates, publish issuewild for the same CA.
-
Step 5: Remove obsolete CAA records
Delete issue entries for CAs you no longer use.
-
Step 6: Check parent/root domain inheritance
Review whether parent zone CAA affects subdomain issuance.
-
Step 7: Wait for TTL
Allow DNS propagation before retrying issuance or renewal.
-
Step 8: Retry SSL issuance
Run Certbot, panel SSL, or CDN provisioning again and confirm success with SSL Checker.
Examples
; Allow Let's Encrypt standard certificates
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
; Allow Let's Encrypt wildcard certificates
example.com. 3600 IN CAA 0 issuewild "letsencrypt.org"
; Report unauthorized issuance attempts (optional)
example.com. 3600 IN CAA 0 iodef "mailto:security@example.com"
Use the exact CA domain your issuer documents. Removing all CAA records allows any trusted CA to issue, which may be acceptable if you do not need restriction.
Frequently asked questions
What is a CAA record?
A Certificate Authority Authorization (CAA) DNS record specifies which CAs are allowed to issue SSL/TLS certificates for a domain or wildcard.
Can Let's Encrypt issue a cert if CAA blocks it?
No. If CAA does not authorize letsencrypt.org (or the correct Let's Encrypt domain), issuance fails until DNS is updated.
Do I need issuewild for wildcard certificates?
Yes. Wildcard certificates require a CAA issuewild record for the authorized CA, not only an issue record.
What if there are no CAA records?
Any publicly trusted CA may issue certificates for the domain. No CAA is valid and common when you have not restricted issuers.
Can parent domain CAA affect subdomains?
Yes. CAA can be inherited unless the subdomain publishes its own CAA records that override inheritance rules.
How long after fixing CAA can I retry issuance?
Retry after the CAA record TTL expires and public resolvers return the updated value, often within minutes to an hour.
Can CDN SSL fail because of CAA?
Yes. If the CDN provider uses a CA that is not listed in CAA, edge certificate issuance or renewal can fail.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!