CAA validation error on CNAME lookup with on CAA record

We host subdomains for clients in a Ruby application. The client sets up a subdomain DNS record with a CNAME pointing to our application. We then use LetsEncrypt to issue a certificate from the application (using acme-client ruby gem).

For a single client we get CAA validation failed error on subdomain ‘’, and find that the main domain ‘’ has CAA records for Comodo and Thawte. Since the subdomain is just a CNAME record for our application domain ‘’, those CAA records should not be affecting the certificate validation if I’m reading the correctly.

I understand it that since ‘’ is a CNAME, LE validation follows the CNAME redirection and request CAA records from our domain ( -> and in finding none, should issue the certificate.

This is the only client with the issue. We issue certificates with client subdomains as SANs without issue for many other clients.

Many thanks.

1 Like

Hi @TimJones

that's the "Tree climbing":

The CAA RFC specifies an additional behavior called “tree-climbing” that requires CAs to also check the parent domains of the result of CNAME resolution. This additional behavior was later removed by an erratum, so Let’s Encrypt and other CAs do not implement it.

That's not used.

But if is a CNAME, then first is checked. If there is no CAA, next (tree climbing of the original domain) is done. There is a blocking CAA.

So create a CAA with

-->> All CNAMES with that destination -> is allowed to create certificates.

1 Like

Thanks for the confirmation. I wasn’t expecting the tree-climbing to ‘go back’ to the main domain after a CNAME had been climbed.

I forgot to mention in my message that our is also a CNAME pointing to a Heroku Load Balancer, so we cannot add a CAA record to that domain. If I add one to '` it would not be climbed by the validation rules, correct?

1 Like

Correct. :frowning: Your options are:

  • Get the CAA records modified,
  • Get Heroku to add CAA records at, or
  • Find a third option (e.g. stop using Heroku, use some kind of proprietary alias record instead of a CNAME...)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.