It produced this output:
Domain validation failed for centerparcsvergelijk.nl: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/586968865.
Type: urn:ietf:params:acme:error:caa
Status: 403
Detail: CAA record for centerparcsvergelijk.nl prevents issuance
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian
The DNS records are;
centerparcsvergelijk.nl. CAA (issuewild) letsencrypt.org
centerparcsvergelijk.nl. CAA (issue) ;
centerparcsvergelijk.nl. CAA (iodef) mailto:[email]
Your CAA record only allows issuance of a wildcard certificate. It’s pretty common for wildcard certificate requests to also contain the non-wildcard apex. If Plesk is doing that, that’s your problem and you either need to update the record to allow non-wildcards or configure Plesk to stop doing that (no clue if that’s possible).
*Edit: If you click the link to the authorization in your post, you can see it failed on validating an http-01 challenge for the apex centerparcsvergelijk.nl domain.
In Plesk, I believe it now always uses DNS instead of HTTP validation. So I was also wondering why that HTTP part is still there.
It turns out that if you have a single domain certificate on a domain and want to change it to a wildcard certificate, you sometimes must have the issue CAA record set to ‘letsencrypt.org’.
In my case, I’m changing all domains from single domain certificates to wildcard certificates and in 2 out of 30 domains, the issue CAA record was needed.
