What is the name of the domain?
What is the issue you’re encountering
unable to remove CAA records which were added with the Universal SSL certificate
What is the current SSL/TLS setting?
Full
Cloudflare adds CAA records to your domain to make sure that they can issue edge certificates
Certification Authority Authorization (CAA) FAQ · Cloudflare SSL/TLS docs
You can still add additional CAA records for to a domain to authorise the CA that you are trying to use.
If you disable Universal SSL it will remove the CAA records added by Cloudflare but can cause issues with other domains/subdomains on your zone that uses them.
Thank you for your response and unfortunately, GoDaddy gives same error even after we add the CAA record for them. Therefore, we are trying to disable and remove the CAA records which generated with Universal SSL certificate and once all the CAA records are removed, we will renew the GoDaddy SSL and enable the Universal SSL.
Are you trying to request a single certificate or a wilcard certificate. I can only see a wilcard CAA record for godaddy.com
dig baurs.com CAA +short
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issue "ssl.com"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "godaddy.com"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
0 issuewild "ssl.com"
If your trying to obtain a single domain certificate you need to add need to add
0 issue "godaddy.com"
1 Like
I’m trying to renew my Wildcard SSL Certificate.
I cant find any docs on how Godaddy is checking the CAA records.
They also use 2 CAs godaddy and 2. Starfield Technologies
Do you want to try adding the following 4 records to see if that can pass the Godaddy verification
0 issue "godaddy.com"
0 issue "starfieldtech.com"
0 issuewild "godaddy.com"
0 issuewild "starfieldtech.com"
Thank you Henry for the reply,
Is there any time period for the propagation or if the dig search shows the newly added CAA records, GoDaddy should be able to generate the certificate ?
If you can see the records with dig it should be ok.
You can also check the propagation here
dig baurs.com CAA +short
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "godaddy.com"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issue "sectigo.com"
0 issue "ssl.com"
0 issue "starfieldtech.com"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "godaddy.com"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
0 issuewild "sectigo.com"
0 issuewild "ssl.com"
0 issuewild "starfieldtech.com"
Hi Henry,
Once I have updated the CAA records as you mentioned, I was able to generate the certificate.
Thank you and highly appreciated you support.
Thank you,
Chinthana
No Problem, happy to help.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.