I’m trying to re-key a SSL certificate (origin) but I get this message: A DNS CAA record exists for domain(s) (example.com) which forbids the issuance of this certificate. However, there are is no CAA record in Cloudflare
I’ve checked the DNS records in Cloudflare but there is no CAA.
DNS records
Cloudflare automatically adds CAA records when certain features are enabled (eg Universal SSL and AMP Real URL or SXG Signed Exchanges).
The CAA record set is not shown in the DNS manager to prevent users from removing it and breaking the associated feature(s). But you’ll see these records when you do a public DNS lookup.
The simple solution to your problem is to add a new CAA record for the CA you want to use at your origin server. And it seems you’ve done this already, as I see the following CAA record set for your domain (I don’t believe GoDaddy is one of the CAs Cloudflare uses, so that must be something you added):
androidphoria.com. 3600 IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"
androidphoria.com. 3600 IN CAA 0 issue "ssl.com"
androidphoria.com. 3600 IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
androidphoria.com. 3600 IN CAA 0 issuewild "comodoca.com"
androidphoria.com. 3600 IN CAA 0 issuewild "letsencrypt.org"
androidphoria.com. 3600 IN CAA 0 issue "comodoca.com"
androidphoria.com. 3600 IN CAA 0 issue "letsencrypt.org"
androidphoria.com. 3600 IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes" androidphoria.com. 3600 IN CAA 0 issuewild "digicert.com; cansignhttpexchanges=yes"
androidphoria.com. 3600 IN CAA 0 issuewild "ssl.com"
androidphoria.com. 3600 IN CAA 0 issuewild "godaddy.com"
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.