All - subdomains are blocked creating Letsencrypt-certificates - Urn:ietf:params:acme:error.caa. Upd 15:30 Microsoft has removed all CAA

i’m having issues creating a certificate for an azure virtual machine using the Win-Acme-client (wacs). I’m using wacs in unattended mode and this worked for different vms (with different hostnames) till this morning.


I ran this command:
wacs.exe (release, pluggable)
I tried using wacs.exe in unattended and the normal cli-mode. The results are the same.

It produced this output:

Authorize identifier: 
Authorizing using http-01 validation (SelfHosting)
    "detail": "CAA record for prevents issuance",
    "status": 403
Authorization result: invalid

My web server is (include version): -

The operating system my web server runs on is (include version):
Windows 10 1909

My hosting provider, if applicable, is:
Microsoft Azure

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Thank you for hour help!


Hi @jonben

you can't create a certificate with that domain name. See your check -

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout 0 no CAA entry found 1 0 0 no CAA entry found 1 0 0 no CAA entry found 1 0 5 issue 1 0
5 issue 1 0
5 issue 1 0
com 0 no CAA entry found 1 0

Only digicert, entrust and globalsign are allowed to create certificates with

You may add an own CAA entry with your complete domain name. But that may be impossible.



We have a similar issue with our domain which was working previously. This used to work previously.

Now our certificates are not renewing or not able to create a new one. We are getting CAA record for prevents issuance

Is this expected or can we define a CAA record at the “” with letsencrypt to allow this. ?



Hi @JuergenAuer

Thank you for your response.
This seems strange, the same certificate creation process worked yesterday.

Just for my unterstanding: This is something i can’t do anything about, because Microsoft set these CAA records for
I think it isn’t possible for me to set CAA entries for the complete domain name.


If Microsoft has changed the CAA entries yesterday / today, now it doesn't work. That's how CAA RR defined.

CAAs are checked hierarchical. Longest -> shortest.

An existing CAA stops that.

So if you can't create a CAA with the long domain name, the CAA entry of blocks.


The same with * Our one AKS cluster is working using certificate issued by Let`s Encrypt 3 days ago. But another one, created few hours ago, can’t get one. Didn’t find any announcement from Microsoft about coming changes…


I’ve edited the topic title.

There are a lot of users with the same problem.


That's expected.

A blocking CAA on blocks all subdomains.


I have posted a question to MS about this today, lets see if we can get anything out of them, this has come at a really bad time for us we really need this to be working for our deployments.
MS Link


I see a referer in “check-your-website” - from a servicedesk - microsoft site. To one of these azure subdomain checks.

Looks like Microsoft checks that.

1 Like

Oh - I see: Microsoft has removed all CAA entries.

A check, some minutes old -

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout 0 no CAA entry found 1 0 0 no CAA entry found 1 0 0 no CAA entry found 1 0 0 no CAA entry found 1 0
com 0 no CAA entry found 1 0

No CAA entry defined.

So creating Letsencrypt certificates should work.


Works like a charm now, thanks for checking this out for me!


Question: How do you guys pass the verification when we don’t have access to the DNS of

1 Like

Microsoft has removed the blocking CAA entries.

A post was split to a new topic: TXT requirements

You have to use files in the /.well-known/acme-challenge folder of your website.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.