A DNS CAA record exists for domain which forbids the issuance of this Certificate

What is the name of the domain?

maximportal-dot-com

What is the error message?

A DNS CAA record exists for domain(s) maximportal.com which forbids the issuance of this certificate

What is the issue you’re encountering

Cannot create new cert in Godaddy due to CAA record in Cloudflare

What steps have you taken to resolve the issue?

I have disabled Universal SSL in Cloudflare but using DNS CAA checkers, I still have entries that I cant remove. I’ve waited over 6 hours and know it could take time, however I feel there is something hidden and its not flushing the CAA

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

Use a DNS CAA checker for maximportal.com

Screenshot of the error

Screenshot 2025-02-16 173251.jpg1240×367 49.7 KB

Just add a new CAA record for GoDaddy to your Cloudflare DNS.

Note that your GoDaddy certificate may be issued by GoDaddy CA or Entrust (and possibly others), so get the correct record from GoDaddy support.

For a background to this, your domain currently has the CAA records below:

maximportal.com. 3600 IN CAA 0 issue "ssl.com" 
maximportal.com. 3600 IN CAA 0 issuewild "ssl.com"
maximportal.com. 3600 IN CAA 0 issuewild "letsencrypt.org"
maximportal.com. 3600 IN CAA 0 issue "comodoca.com"
maximportal.com. 3600 IN CAA 0 issue "letsencrypt.org"
maximportal.com. 3600 IN CAA 0 issuewild "comodoca.com" 
maximportal.com. 3600 IN CAA 0 issuewild "digicert.com; cansignhttpexchanges=yes"
maximportal.com. 3600 IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes" 
maximportal.com. 3600 IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes" 
maximportal.com. 3600 IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"

These records were automagically added to allow Cloudflare to request certificates from these CAs for various services (Universal SSL, Advanced SSL, AMP Real URL, Signed Exchanges, and possibly others).

These records are not shown in the Cloudflare DNS editor for obvious reasons: users could delete or mess with them, making Cloudflare unable to issue certificates for the related services.

The only way to get rid of these CAA records is to disable all the above-mentioned features that require certificates. But this is not necessary (or recommended) at all.

Just add a new CAA record for any additional Certificate Authority (GoDaddy/Entrust in your case) that you need that you’re using to issue certificates for your domain.

Good luck!

Thank you. I’ll reach out to Godaddy and see if I can get the right CA as I tried godaddy and starfieldtech to no avail.

GoDaddy could not provide to me the CAA entry to put into my DNS so the certificate can be issued. I still get the same error that there are other CAA that I cannot delete. I have another domain with Cloudflare and its lists no CAA in a CAA DNS query so there must be a way for Cloudflare to remove these entries?

From their own support site…

Screenshot 2025-02-17 at 16.12.08779×197 21.9 KB

https://www.godaddy.com/en-uk/help/add-a-caa-record-27288

Alternatively, as you are not using the Cloudflare proxy, just disable Universal SSL in your Cloudflare dashboard to remove the CAA records.
https://cf.sjr.dev/tools/check?6c5f423b6a334ffbb4ae05eed39b09c2#dns

I tried removing the proxy and I also disabled universal SSL but those entries do not get automatically deleted. It seems I need help from Cloudflare to remove them.

@jmichaels -

Can you try adding two CAA records for Go Daddy?

cloudflare_community_768032_only_allow_wildcards696×182 3.57 KB

cloudflare_community_768032_only_allow_specific_hostnames696×182 3.66 KB

Wait 1 hour, and then try again.

Thank you. I tried that along with others but it never worked. Even GoDaddy didnt want to give me that. I ultimately have up and am using a self signed SSL on the server and a Universal SSL on Cloudflare.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.