The “registered domain” is
bcsd.com , and under that we have some dozens of subdomains, such as
For all subdomains, we get this output:
Error creating new cert :: Rechecking CAA: While processing CAA for <some-subdomain-here>.bcsd.com: CAA record for <some-subdomain-here>.bcsd.com prevents issuance
We have gotten that identical output for attempts on all subdomains, but not when issuing for the main “registered domain” itself.
We do have a CAA record on the registered domain itself, as can be seen here:
We do not have (and should not need) CAA records on the subdomains, as can be seen here:
If you wonder why I believe we should not need CAA records on the subdomains, I’ll reference https://letsencrypt.org/docs/caa/
You can set CAA records on your main domain, or at any depth of subdomain … CAs will check each version, from left to right, and stop as soon as they see any CAA record … Most people who add CAA records will want to add them to their registered domain (
example.com) so that they apply to all subdomains
We use a very old version of
certbot, which is almost certainly not the cause as it generates certs for some thousands of hostnames each month without problem. This problem appears to be occurring on LE servers, after which the failure is successfully communicated back to our client software. LE apparently dislikes the CAA records on this registered domain, or is perhaps not conforming to the claim made on the official website and not honoring the CAA record on the registered domain.
My money is on some failure of ours to set up the CAA record properly, but it’s passing the CAA validators online, so I’m not sure what to think.