CAA record for prevents issuance

Hello everyone,

This is my first time using certbot and let's encrypt.

I am using Google Cloud and I've set up a zone. I believe that I have the CAA record set up correctly.

$ gcloud dns record-sets list --zone=rcorujo-dns-zone
NAME                                                                       TYPE   TTL    DATA                                    A      3600                                    CAA    300    0 issue ""                                    NS     21600,,,                                    SOA    21600 2 21600 3600 259200 300  CNAME  3600

I have my "/etc/resolv.conf" pointing first to the Google DNS server ( for the zone I created.

root@nginx-deployment2-96bbdb955-qfffj:/tmp# cat /etc/resolv.conf
search default.svc.cluster.local svc.cluster.local cluster.local c.dai-dev-560.internal google.internal

The "dig" command shows that it can find the "CAA" record.

root@nginx-deployment2-96bbdb955-qfffj:/tmp# dig -t CAA

; <<>> DiG 9.18.24-1-Debian <<>> -t CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46221

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 512
; COOKIE: 8529b1ca57a0a2270167985f6b7bc8592f30033de0151abd0592ffffeb (good)


;; ANSWER SECTION: 300 IN CAA 0 issue ""

;; Query time: 10 msec
;; WHEN: Mon Feb 26 15:21:54 UTC 2024
;; MSG SIZE rcvd: 134

However, the "certbot" command fails complaining about the "CAA" record, even though I specified I want to use the "http" challenge.

root@nginx-deployment2-96bbdb955-qfffj:/tmp# certbot certonly --test-cert --webroot --preferred-challenges http --webroot-path /usr/share/nginx/html --domains ''
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Type:   caa
  Detail: CAA record for prevents issuance

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The "/var/log/letsencrypt/letsencrypt.log" shows "resolverAddrs", which seems to suggest that my DNS server is not being used at all.

  "identifier": {
    "type": "dns",
    "value": ""
  "status": "invalid",
  "expires": "2024-03-04T15:19:45Z",
  "challenges": [
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:caa",
        "detail": "CAA record for prevents issuance",
        "status": 403
      "url": "",
      "token": "Z4l7ORirWWCjWyb_S92Q0cUSN75Ccubj497PHfay3wc",
      "validationRecord": [
          "url": "",
          "hostname": "",
          "port": "80",
          "addressesResolved": [
          "addressUsed": "",
          "resolverAddrs": [
      "validated": "2024-02-26T15:19:45Z"

How can I get it to use my "" DNS server?

Thank you.

This has been resolved. I used the Google Cloud instructions at and specified the "http" challenge, then followed the instructions that were displayed. I got my certificate.

1 Like

With regard to your original CAA problem:

You think your DNS zone is operated by ns-cloud-e{1..4} while in reality, if you do a trace, your DNS zone is operated by ns{1..4} And those NS don't have a CAA RR on file for that hostname. Only the 0 issue "" CAA RR exists for which is looked for if no other CAA RRs can be found for the other DNS labels..


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.