Domain validation failed, but CAA records are correct

My domain is:
centerparcsvergelijk.nl

I ran this command:
via Plesk extension reissued

It produced this output:
Domain validation failed for centerparcsvergelijk.nl: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/586968865.
Type: urn:ietf:params:acme:error:caa
Status: 403
Detail: CAA record for centerparcsvergelijk.nl prevents issuance

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian

The DNS records are;
centerparcsvergelijk.nl. CAA (issuewild) letsencrypt.org
centerparcsvergelijk.nl. CAA (issue) ;
centerparcsvergelijk.nl. CAA (iodef) mailto:[email]

I’m requesting a wildcard certificate.

Your CAA record only allows issuance of a wildcard certificate. It’s pretty common for wildcard certificate requests to also contain the non-wildcard apex. If Plesk is doing that, that’s your problem and you either need to update the record to allow non-wildcards or configure Plesk to stop doing that (no clue if that’s possible).

*Edit: If you click the link to the authorization in your post, you can see it failed on validating an http-01 challenge for the apex centerparcsvergelijk.nl domain.

1 Like

In Plesk, I believe it now always uses DNS instead of HTTP validation. So I was also wondering why that HTTP part is still there.

It turns out that if you have a single domain certificate on a domain and want to change it to a wildcard certificate, you sometimes must have the issue CAA record set to ‘letsencrypt.org’.

In my case, I’m changing all domains from single domain certificates to wildcard certificates and in 2 out of 30 domains, the issue CAA record was needed.

Thank you for your reply. Forgot to thank you in my new post. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.