Can't renew wildcard certificate on digital ocean


About 11 weeks ago I got a wildcard certificate and ran the command specified below to obtain the first set of wildcard certificates, now they’re about to expire, but when I tried to renew them I couldn’t.

My domain is: (ficticious)

I ran this command:
sudo certbot -a dns-digitalocean certonly -i nginx -d “*” -d --server --dns-di gitalocean --dns-digitalocean-credentials /etc/letsencrypt/tokenfile --email --agree-tos

It produced this output:
Plugins selected: Authenticator dns-digitalocean, Installer nginx
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Waiting 10 seconds for DNS changes to propagate
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:caa :: CAA record for prevents issuance, (dns-01): urn:ietf:params:acme:error:caa :: CAA record for * prevents issuance

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I need some help before they expire

CAA record for prevents issuance
literal error message says your domain’s CAA record (or it’s parent) prevent issuance from we can’t say anything more about it without your domain and lookup CAA itself.

1 Like

Hi @alcides

to check that, your domain name is required.

PS: May be a CAA-problem, may be a DNSSEC-problem.

Or your name servers are too buggy.

1 Like

Hi, this is my actual DNS configuration:

CAA should be `’ not ‘

1 Like

Now your entry looks ok:

8. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout 5 issue 1 0 5 issue 1 0
com 0 no CAA entry found 1 0

Did you change it or is this a wrong menu entry?

@orangepizza and @JuergenAuer thanks for your help, my config now looks like:

and as result I have renewed the certificate successfully with the same command above.

Have a good day!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.