SSL cert not auto-renewing with caa_error pending issuance

All my ssl edge certificates are not renewing and has a caa_error pending issuance.
I have tried looking this up but all the solutions I find I cannot apply to my situation due to not having the options available. For example, one solution said to add a caa dns record but I can’t because I only have the option to create an A, AAAA, and CNAME records in the dns feature.
Here is a screenshot of the error


Any Advice will be appreciated, Thanks!

Hello,

You most likely have CAA records set on your authoritative DNS which is blocking Cloudflare from issuing a universal certificate. Since you are only able to choose A, AAAA or CNAME record, you have a CNAME setup on this specific domain.

I would recommend adding the following CAA records on your authoritative DNS
(please replace example.com with your domain)
example.com. IN CAA 0 issue “comodoca.com
example.com. IN CAA 0 issue “digicert.com
example.com. IN CAA 0 issue “letsencrypt.org
example.com. IN CAA 0 issuewild “comodoca.com
example.com. IN CAA 0 issuewild “digicert.com
example.com. IN CAA 0 issuewild “letsencrypt.org

Here is a great article that goes through CAA records and setting CAA records
https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.