External Subdomain Renewing SSL Certificate

ebernardo · May 26, 2020, 5:48pm

We have a SSL Certificate subdomain hosted in GoDaddy and we’re trying to renew the SSL Certificate. We’re running into an issue where we cannot renew because we’re getting the message:

“A DNS CAA record exists for domain(s) which forbids the issuance of this certificate”

After digging through the community and through CF’s Help Center, we turned off Universal SSL under Edge Certificates thinking that this would be the culprit. CF hosts all our DNS and we do not have any other DNS providers. We waited until the “Pending Deletion” was gone and no longer had any certificates. But we are still seeing the same error message on GoDaddy.

Would there be any other steps we can do to renew our SSL certificate without having this message appear?

sdayman · May 26, 2020, 6:14pm

You can add your own CAA record. Do you know who the certificate issuer is?

ebernardo · May 26, 2020, 6:20pm

Thanks for getting back to me.

We don’t have our own CAA record - that’s the thing. CloudFlare hosts all our DNS and after running a 3rd party check tool, we get exactly what is shown here:

My thinking is that it’s due to the Universal SSL that is enabled on our CloudFlare. We turned that off, but we’re still unable to renew our SSL Cert.

sdayman · May 26, 2020, 7:23pm

Give the CAA record approach a try. I didn’t know about them disabling Universal SSL…because I guess I haven’t broken anything with my additional CAA records.

system · June 25, 2020, 7:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.