Troubleshooting Guides

Fixing CAA Records That Block Certificate Issuance

Fix CAA records that block SSL certificate issuance, including issue, issuewild, Let's Encrypt, wildcard certificates and inherited CAA problems.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Intermediate

Introduction

CAA records tell certificate authorities which issuers may create SSL/TLS certificates for your domain. If DNS does not authorize the CA you are using, issuance or renewal fails even when everything else is configured correctly.

This problem is common after switching from one SSL provider to another, enabling Let's Encrypt on a domain that previously allowed only a commercial CA, requesting wildcard certificates without issuewild, or publishing CAA with syntax errors at the wrong DNS hostname.

Quick answer

Quick answer

Check current CAA records with CAA Record Checker, identify the CA your SSL tool or CDN uses, add the correct issue record (and issuewild for wildcards), remove obsolete CA entries, confirm records are on the right hostname, wait for DNS TTL, then retry certificate issuance.

CAA records blocking issuance explained

Before issuing a certificate, public CAs query CAA for the domain. If CAA exists and does not authorize that CA, issuance is denied.

  • issue tag controls standard hostname certificates
  • issuewild controls wildcard certificates
  • iodef can report unauthorized issuance attempts
  • Let's Encrypt requires issue "letsencrypt.org"
  • Wildcard certs need matching issuewild when CAA is present
  • Old CA entries may remain after switching providers
  • CAA on the wrong hostname has no effect on the intended domain
  • Inherited CAA from parent zones can surprise subdomain issuance
  • DNS provider formatting errors can publish invalid CAA values

If you do not need to restrict CAs, removing all CAA records allows any trusted CA to issue. Only use CAA when you intentionally want restriction.

Why this matters

Why this matters

A blocked certificate leaves HTTPS broken or stuck on an expiring cert. Auto-renewal fails, staging deploys break, and CDN edge SSL may not provision until CAA authorizes the correct issuer.

CAA is a useful security control when maintained, but outdated CAA is a frequent cause of renewal failures.

How to check CAA records

  1. Run CAA Record Checker on the exact hostname needing the certificate.
  2. List all issue, issuewild and iodef records returned.
  3. Identify the CA your panel, Certbot or CDN uses.
  4. Check whether wildcard issuance requires issuewild.
  5. Review parent domain CAA if the subdomain inherits policy.
  6. Confirm records are published at authoritative DNS, not an old provider.
  7. Retry issuance only after TTL and propagation.

Check CAA records

Use CAA Record Checker to see which certificate authorities are authorized to issue certificates for your domain.

Run CAA Check →

Common problems

CAA allows wrong certificate authority

High

DNS authorizes DigiCert or Sectigo but you are requesting Let's Encrypt or a CDN CA.

Next step: Add the correct issue record for the CA you actually use.

issuewild missing for wildcard cert

High

A wildcard certificate was requested but only issue is defined.

Next step: Add issuewild for the same CA as the wildcard request.

CAA inherited from parent domain

Medium

Subdomain issuance is restricted by parent zone CAA.

Next step: Publish explicit CAA on the subdomain or update parent policy intentionally.

DNS provider formats CAA incorrectly

Medium

Missing flags, tag syntax or quotes produce invalid CAA answers.

Next step: Republish using your DNS provider's CAA field format.

Multiple conflicting CAA records

Medium

Several issue records exist but the needed CA is not among them.

Next step: Add the required CA and remove obsolete entries.

Old CA remains after switching SSL provider

High

Previous vendor CAA still blocks the new issuer.

Next step: Remove old CA entries and authorize the new provider.

CAA added at wrong hostname

Medium

Records were created on www or a subdomain instead of the issuance hostname.

Next step: Publish CAA on the domain the CA validates for certificate issuance.

Let's Encrypt not authorized

High

CAA exists but does not include letsencrypt.org.

Next step: Add CAA 0 issue "letsencrypt.org" or remove restrictive CAA if appropriate.

CDN certificate provider not authorized

High

Edge SSL uses a CA not listed in your CAA records.

Next step: Authorize the CDN CA in CAA or use a CDN SSL mode that matches your policy.

DNS not propagated yet

Low

CAA was fixed recently but resolvers still return the old value.

Next step: Wait for TTL expiry and verify with CAA Record Checker before retrying.

How to fix

  1. Step 1: Check current CAA records

    Use CAA Record Checker and DNS Lookup to list issue, issuewild and iodef values.

  2. Step 2: Identify certificate issuer

    Confirm whether you use Let's Encrypt, a commercial CA, hosting AutoSSL or a CDN-provided certificate.

  3. Step 3: Add correct issue record

    Authorize the CA with a record such as CAA 0 issue "letsencrypt.org" when using Let's Encrypt.

  4. Step 4: Add issuewild if wildcard needed

    For wildcard certificates, publish issuewild for the same CA.

  5. Step 5: Remove obsolete CAA records

    Delete issue entries for CAs you no longer use.

  6. Step 6: Check parent/root domain inheritance

    Review whether parent zone CAA affects subdomain issuance.

  7. Step 7: Wait for TTL

    Allow DNS propagation before retrying issuance or renewal.

  8. Step 8: Retry SSL issuance

    Run Certbot, panel SSL, or CDN provisioning again and confirm success with SSL Checker.

Examples

CAA record examples
; Allow Let's Encrypt standard certificates
example.com.  3600  IN  CAA  0 issue "letsencrypt.org"

; Allow Let's Encrypt wildcard certificates
example.com.  3600  IN  CAA  0 issuewild "letsencrypt.org"

; Report unauthorized issuance attempts (optional)
example.com.  3600  IN  CAA  0 iodef "mailto:security@example.com"

Use the exact CA domain your issuer documents. Removing all CAA records allows any trusted CA to issue, which may be acceptable if you do not need restriction.

Frequently asked questions

What is a CAA record?

A Certificate Authority Authorization (CAA) DNS record specifies which CAs are allowed to issue SSL/TLS certificates for a domain or wildcard.

Can Let's Encrypt issue a cert if CAA blocks it?

No. If CAA does not authorize letsencrypt.org (or the correct Let's Encrypt domain), issuance fails until DNS is updated.

Do I need issuewild for wildcard certificates?

Yes. Wildcard certificates require a CAA issuewild record for the authorized CA, not only an issue record.

What if there are no CAA records?

Any publicly trusted CA may issue certificates for the domain. No CAA is valid and common when you have not restricted issuers.

Can parent domain CAA affect subdomains?

Yes. CAA can be inherited unless the subdomain publishes its own CAA records that override inheritance rules.

How long after fixing CAA can I retry issuance?

Retry after the CAA record TTL expires and public resolvers return the updated value, often within minutes to an hour.

Can CDN SSL fail because of CAA?

Yes. If the CDN provider uses a CA that is not listed in CAA, edge certificate issuance or renewal can fail.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.