We have a domain that does not have the CAA to allow letsencrypt to create certificate; but if we have it enabled in a subdomain of that main domain and gives us the following error:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: subdomain.domain.com
Type: caa
Detail: CAA record for domain.com prevents issuance
Your thread is more suitable for the Help section instead of the Issuance Tech category. I'll move it for you.
If you would have opened this thread in the Help section, you would have been provided with a questionnaire. Please fill out the questionnaire below to the best of your knowledge:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
It's going to be hard to help without the actual domain name, but just like it says, if your CAA record doesn't allow Let's Encrypt then it won't work. That page @MikeMcQ linked also links to the SSLMate’s CAA Record Generator which might be helpful for making sure your record says what you think it should.
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: formaciones.firmaprofesional.com
Type: caa
Detail: During secondary validation: CAA record for firmaprofesional.com prevents issuance
My web server is (include version):
No relevant
The operating system my web server runs on is (include version):
Ubuntu 22.04
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
firmaprofesional.com. 300 IN CAA 0 issuewild "firmaprofesional.com"
firmaprofesional.com. 300 IN CAA 0 issue "firmaprofesional.com"
I doubt your a CA? In any case, the presence of these CAA RRs are blocking issuance for CAs that are not named firmaprofesional.com.
I also see you have a CNAME RR set for formaciones.firmaprofesional.com. It's not allowed to have any other RR other than DNSSEC RRs present together with CNAME. This includes CAA RRs. The CNAME points to cluster.evolmind.com which does not have a CAA RR set.