In Azure, I am trying to create a certificate for a sub domain but I keep getting an error there indicating that there is already a CAA for that domain, however, I can’t find an existing CAA entry in cloudflare. Azure support claims I need to contact the DNS provider (Cloudflare).
I have also checked the domain registrar, but they also don’t have a CAA entry.
Please advise.
Welcome to the Cloudflare Community. 
How are you trying to locate the existing CAA record? Are you using a DNS query or just looking in your Cloudflare dashboard DNS app?
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using
dig, you can see any existing CAA records, including those added by Cloudflare
The Azure support team tells me that the CAA record exists. I looked in the Dashboard in Cloudflare and didn’t find it as well as at Dreamhost (the domain registrar). I used nslookup.io to look for the CAA record and it didn’t find it. I looked at entrust.com and it did find something but I’m not sure how to interpret it:
I’m not sure how I would use a DNS query.
I did a dig mysubdomain.mydomain.com caa +short and nothing came back.
You cannot dig only the subdomain. You need to check the apex as well.
I ignored this in my first reply, but since you have revisited it, it is worth mentioning that your registrar has nothing to do with CAA records (unless you are using their DNS, but even then, it would be entirely unrelated to their role as your registrar).
Ah - good to know about the registrar. Our DNS is entirely at Cloudflare. I did a dig on the apex like you suggested and got this response. Not sure what it means for me though.
Those are the CAs that are allowed to issue certificates for your domain.
It seems odd that comodoca.com is on the list since they use sectigo.com these days. It also doesn’t make sense to have explicit issuewild records since issue contains an implicit issuewild, but it shouldn’t hurt anything.
What CA are you wanting to cover with a CAA record?
I don’t want any CAA record. I am being told by the Azure team that I can’t create a certificate for a subdomain because there is an existing CAA record for my subdomain and that I need to remove it from Cloudflare before they can help me. I am trying to either remove the existing CAA record (doesn’t appear to be one - like I thought) or to prove to them that there is no CAA record and they need to figure out why their platform isn’t able to create a certificate for me.
Do you use AMP Real URL or SXG Signed Exchanges? If you do, that requires CAA records and you will need to add one or more to cover the CAs that the Azure team will use.
No. We don’t use either of those.
I’ll escalate this post for the attention of the Customer Support Team so they can get back to you here. If you have already contacted Support, please share your ticket number here so that they can track it.
Can you share a screenshot from https://dash.cloudflare.com/?to=/:account/:zone/speed/optimization/other so we can confirm that both AMP Real URL and Automatic Signed Exchanges (SXGs) are definitely disabled?
If having no CAA records is more important than Automatic Signed Exchanges (SXGs), you can disable them. Otherwise, you will need the Azure team to identify the CAs they want authorized and create the corresponding CAA records.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
