CAA error for issuing certificate with

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
dig CAA
It produced this output:

dig CAA

; <<>> DiG 9.10.6 <<>> CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58233
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096


We were told by LE that there are CAA errors on domains for certificate with The issue is that the actual tests for CAA check work fine for the domain. The error I see in the API response from LE is below. Can we get more information on this error? How can I validate what exactly is the CAA error here? We had seen something similar with .mil domain in past.

  code: le-certificate-error
  message: Error getting certificate and trust chain from Let's Encrypt
  formatString: 'Error: {0}, Detail: {1}'
  - Error getting certificate and trust chain from Let's Encrypt
  - POST to failed.
  timestamp: 2018-11-16T21:22:47z

Why would you think the error signifies a CAA error?

It would have been helpful if you also gave the command for the issuing of the certificate, not just the dig command.

In the past, Let’s Encrypt was not allowed to issue certificates for .mil domains at all, but now that rule has changed and there are a number of .mil certificates issued by Let’s Encrypt.

As @Osiris mentioned, it would be helpful to see the exact command and error message, or whatever communication you’ve previously had from Let’s Encrypt staff about CAA problems.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.