In Azure, I am trying to create a certificate for a sub domain but I keep getting an error there indicating that there is already a CAA for that domain, however, I can’t find an existing CAA entry in cloudflare. Azure support claims I need to contact the DNS provider (Cloudflare).
I have also checked the domain registrar, but they also don’t have a CAA entry.
How are you trying to locate the existing CAA record? Are you using a DNS query or just looking in your Cloudflare dashboard DNS app?
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig , you can see any existing CAA records, including those added by Cloudflare
The Azure support team tells me that the CAA record exists. I looked in the Dashboard in Cloudflare and didn’t find it as well as at Dreamhost (the domain registrar). I used nslookup.io to look for the CAA record and it didn’t find it. I looked at entrust.com and it did find something but I’m not sure how to interpret it:
I ignored this in my first reply, but since you have revisited it, it is worth mentioning that your registrar has nothing to do with CAA records (unless you are using their DNS, but even then, it would be entirely unrelated to their role as your registrar).
Those are the CAs that are allowed to issue certificates for your domain.
It seems odd that comodoca.com is on the list since they use sectigo.com these days. It also doesn’t make sense to have explicit issuewild records since issue contains an implicit issuewild, but it shouldn’t hurt anything.
What CA are you wanting to cover with a CAA record?
I don’t want any CAA record. I am being told by the Azure team that I can’t create a certificate for a subdomain because there is an existing CAA record for my subdomain and that I need to remove it from Cloudflare before they can help me. I am trying to either remove the existing CAA record (doesn’t appear to be one - like I thought) or to prove to them that there is no CAA record and they need to figure out why their platform isn’t able to create a certificate for me.
I’ll escalate this post for the attention of the Customer Support Team so they can get back to you here. If you have already contacted Support, please share your ticket number here so that they can track it.
If having no CAA records is more important than Automatic Signed Exchanges (SXGs), you can disable them. Otherwise, you will need the Azure team to identify the CAs they want authorized and create the corresponding CAA records.