Introduction

A CAA record can stop certificate issuance even when DNS and domain validation look correct. That is its job. CAA tells certificate authorities which issuers are allowed to create certificates for your domain. If the record points to the wrong CA, inherits unexpectedly from a parent domain, or has not propagated cleanly, renewals and new certificates can fail.

Symptoms

  • Certificate issuance or renewal fails even though domain validation appears correct
  • The CA reports a CAA-related restriction or authorization error
  • One certificate provider fails while another previously worked
  • The issue starts after DNS changes, registrar moves, or security hardening
  • Subdomains fail while the apex domain still issues normally, or the reverse

Common Causes

  • The CAA record authorizes a different CA than the one now trying to issue the certificate
  • A parent-domain CAA record is inherited by a subdomain unexpectedly
  • DNS propagation or stale authoritative answers keep serving an older CAA policy
  • The record syntax or target value is invalid
  • Renewal automation switched certificate providers without updating DNS policy

Step-by-Step Fix

  1. Confirm the exact certificate authority attempting issuance and compare it with the currently published CAA policy for the hostname.
  2. Query the CAA record from authoritative nameservers directly so you see the true active policy rather than a cached dashboard view.
  3. Check whether the hostname inherits CAA rules from a parent domain because the effective policy may not be set where you expect.
  4. Correct the CAA record to authorize the intended CA, or remove outdated restrictions if your issuance policy has changed.
  5. Review record syntax carefully, including issue, issuewild, and any account or validation parameters required by your CA.
  6. Wait for DNS TTL expiry only after the authoritative CAA answer is correct on all nameservers.
  7. Retry issuance once the CA can see the updated policy and confirm no older conflicting CAA records remain.
  8. If multiple certificate systems operate in your environment, align them to a single documented issuance policy so they do not fight each other.
  9. Keep certificate-provider ownership and DNS authorization rules documented so renewals do not fail unexpectedly later.