Best Practice Microsoft Exchange 2019 Cloudflare Certificates etc

Hi brains trust.

We run a MS Exchange server on premise (NOT 365).
Our Certificate is up for renewal.
Since last renewal 2 years ago, I have put Cloudflare in charge of our domain name DNS.

I’m having trouble renewing the certificate.
When I try to renew the certificate through the certificate provider, I get this error: A DNS CAA record exists for domain(s) autodiscover.domain.com.au, mail.domain.com.au which forbids the issuance of this certificate

What is the best setup for this scenario.
Can I just have certificates from Cloudflare instead?

Sounds like you’re using Let’s Encrypt, Acme.sh or Certbot when you’re trying to renew the SSL certificate for your e-mail server :thinking:

Are those DNS records proxied :orange: or rather unproxied :grey: (DNS-only)? E-mail realted DNS records should be unproxied :grey: (DNS-only).

Furthermore, does the SSL certificate contain any other domain hostname like naked domain, www, or some other?

Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com , the link is in the lower right corner of that page. Give it few minutes to take effect. Retry the step/process of renewing your SSL certificate related to your e-mail. Upon success, un-pause.

1 Like

I don’t know what "Let’s Encrypt, Acme .sh or Certbot " is?
Just purchased cert via sso secureserver net as I did 2 years ago (before we switched to Cloudflare).
.

Are those DNS records proxied…

Furthermore, does the SSL certificate contain any other domain hostname like naked domain, www, or some other?
contain:

mail
www
autodiscover

Had to remove . s forum considered them links.

Tried that, same result :frowning:

I can’t find where these CAA records are.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.