We host subdomains for clients in a Ruby application. The client sets up a subdomain DNS record with a CNAME pointing to our application. We then use LetsEncrypt to issue a certificate from the application (using acme-client ruby gem).
For a single client we get CAA validation failed error on subdomain ‘jobs.dcvc.com’, and find that the main domain ‘dcvc.com’ has CAA records for Comodo and Thawte. Since the subdomain is just a CNAME record for our application domain ‘ns3.monday.vc’, those CAA records should not be affecting the certificate validation if I’m reading the https://letsencrypt.org/docs/caa/ correctly.
I understand it that since ‘jobs.dcvc.com’ is a CNAME, LE validation follows the CNAME redirection and request CAA records from our domain (ns3.monday.vc -> monday.vc) and in finding none, should issue the certificate.
This is the only client with the issue. We issue certificates with client subdomains as SANs without issue for many other clients.