Blocking CAA record(s) found on one or more of the specified domains

My domain is: nausch.org

My CA is: actalis.com

I ran this command:

certbot certonly --standalone \
                 --rsa-key-size 4096 \
                 --server https://acme-api.actalis.com/acme/directory \
                 --eab-kid <-REDACTED-> \
                 --eab-hmac-key <-REDACTED-> \
                 --domains wviewadmin.nausch.org \
                 --agree-tos \
                 --email hostmaster@nausch.org \
                 --renew-by-default

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for wviewadmin.nausch.org
An unexpected error occurred:
Blocking CAA record(s) found on one or more of the specified domains
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The last few lines in /var/log/letsencrypt/letsencrypt.log are:

2026-03-06 12:28:58,668:DEBUG:acme.client:Received response:
HTTP 400
server: nginx
date: Fri, 06 Mar 2026 11:31:13 GMT
content-type: application/problem+json
replay-nonce: 2d741aa5c3a4405898e9b2498b59603c
content-length: 139

{"status": 400, "type": "urn:ietf:params:acme:error:caa", "detail": "Blocking CAA record(s) found on one or more of the specified domains"}
2026-03-06 12:28:58,668:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/usr/lib/python3.14/site-packages/certbot/main.py", line 18, in main
    return internal_main.main(cli_args)
           ~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/certbot/_internal/main.py", line 1886, in main
    return config.func(config, plugins)
           ~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/certbot/_internal/main.py", line 1598, in certonly
    lineage = _get_and_save_cert(le_client, config, sans, certname, lineage)
  File "/usr/lib/python3.14/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(sans, certname)
  File "/usr/lib/python3.14/site-packages/certbot/_internal/client.py", line 533, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(sans)
                          ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
  File "/usr/lib/python3.14/site-packages/certbot/_internal/client.py", line 434, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.14/site-packages/certbot/_internal/client.py", line 494, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem, profile=profile)
  File "/usr/lib/python3.14/site-packages/acme/client.py", line 135, in new_order
    response = self._post(self.directory['newOrder'], order)
  File "/usr/lib/python3.14/site-packages/acme/client.py", line 461, in _post
    return self.net.post(*args, **kwargs)
           ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/acme/client.py", line 812, in post
    return self._post_once(*args, **kwargs)
           ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/site-packages/acme/client.py", line 827, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3.14/site-packages/acme/client.py", line 699, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:caa :: Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Blocking CAA record(s) found on one or more of the specified domains

My web server is (include version): Apache with HAproxy in front

The operating system my web server runs on is (include version): I use Arch, BTW!

The version of my client is : certbot 5.3.1

CAA Records of my domain:

 $ dig CAA nausch.org +short

0 iodef "mailto:hostmaster@nausch.org"
0 issue "actalis.com"
0 issuewild "actalis.com"

Any hint is welcome? What's the problem? Except PEBCAK, of course.

You need to use actalis.it rather than actalis.com in your CAA record, this is buried in section 3.2.2.8 of the certification practices statement (https://www.actalis.com/cps-for-ssl-server-and-code-signing).

... or add 0 issue "letsencrypt.org" to your existing CAA record, to authorize LE to issue certificates for your domain.
(I assumed your question was about Let's Encrypt...)

@MaxHearnden has given the answer but you can also refer to the SSL Mate CAA Record Generator tool. See: CAA Record Generator

Well, Certbot refers people here for any problem regardless of CA so ...

OMG, their support told me to use .com

No offense, but our company policy expressly prohibits us from becoming dependent on IT services from insecure third countries.

You SHOULD have got a email in your iodef (hostmaster@nausch.org) that explains that "actalis.it tried to issue a certificate" or similiar, and that should have hinted you that the domain name in the CAA record were wrong.

Let’s Encrypt is based in the USA.

Thus not third world country nor insecure.

Yes.

I suspect they meant third-party country, as in not related to their organization or their users.

And "secure" and "insecure" aren't really meaningful as blanket statements. Some jurisdictions might be more secure against some threats and less secure against other threats, and different people are concerned about different threats.

They might still be wanting to prepare for a potential future where Let's Encrypt stops issuing to them or one where they would need to distrust U.S. based certificate authorities.

While this would be unprecedented and IMO unlikely, their company might still be trying to mitigate these operational and security risks.

Fair enough @petercooperjr, but that also applies to the OP's comment of

Good point @MaxHearnden.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.