CAA record prevents issuance

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:sudo /jet/etc/letsencrypt/certbot-auto renew --config-dir /jet/etc/letsencrypt

It produced this output:
Processing /jet/etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
nginx: [error] invalid PID number “” in “/run/”
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /jet/etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:caa :: CAA record for prevents issuance. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/jet/etc/letsencrypt/live/ (failure)

All renewal attempts failed. The following certs could not be renewed:
/jet/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)


  • The following errors were reported by the server:

    Type: None
    Detail: CAA record for prevents issuance

My web server is (include version): debian lemp

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: google cloud compute engine

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The CAA record on my DNS SET UP prevents issuance , how I have to change it ?

I’m not sure how it happened, but the CAA record has extra quotation marks:             7200    IN      CAA     0 issue "''"

The double quotes are normal, but the single quotes shouldn’t be there. Let’s Encrypt is probably rejecting it due to their presence.

1 Like

Thank you I did it the change and it works fine:

Congratulations, all renewals succeeded. The following certs have been renewed:
/jet/etc/letsencrypt/live/ (success)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.