It produced this output:
“careers.cnu.edu” is managed.
ERROR CA forbidden: “careers.cnu.edu”
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): AlmaLinux 8.9
My hosting provider, if applicable, is: LiquidWeb
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): WHM/cPanel 118.0.4
I am unable to get a certificate issued though Let's Encrypt for careers.cnu.edu even though this domain is hosted on a box that I control. I am able to get a SSL issued though Sectigo for the domain but cPanel is discontinuing support for Sectigo. Therefore Let's Encrypt is doing something different to validate the domain than Sectigo is.
The subdomain is pointed to our server via an A record by a client of ours. I have the same set up for other clients and am able to get Let's Encrypt to issue SSLs for those domains, for example epss.morgan.edu
Thanks for the help. Our system is replacing SSLs by Sectigo with those by Let's Encrypt. This is the only domain that we have run into this issue with.
Somebody may have manually made that specific CAA record for this subdomain (maybe following some Sectigo documentation; it could be a reasonable choice if you have an organizational policy to use only a specific certificate authority or only those on a specific list). I don't know why nobody would have done the same thing for other subdomains; maybe there was someone especially conscientious involved in setting up that particular part of your infrastructure?
I understand what needs to be done. I have already put in a request for the client to add the appropriate CAA record as they control the DNS for this subdomain.