Domain validation failed, but CAA records are correct

My domain is:

I ran this command:
via Plesk extension reissued

It produced this output:
Domain validation failed for Invalid response from
Type: urn:ietf:params:acme:error:caa
Status: 403
Detail: CAA record for prevents issuance

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk Obsidian

The DNS records are; CAA (issuewild) CAA (issue) ; CAA (iodef) mailto:[email]

I’m requesting a wildcard certificate.

Your CAA record only allows issuance of a wildcard certificate. It’s pretty common for wildcard certificate requests to also contain the non-wildcard apex. If Plesk is doing that, that’s your problem and you either need to update the record to allow non-wildcards or configure Plesk to stop doing that (no clue if that’s possible).

*Edit: If you click the link to the authorization in your post, you can see it failed on validating an http-01 challenge for the apex domain.

1 Like

In Plesk, I believe it now always uses DNS instead of HTTP validation. So I was also wondering why that HTTP part is still there.

It turns out that if you have a single domain certificate on a domain and want to change it to a wildcard certificate, you sometimes must have the issue CAA record set to ‘’.

In my case, I’m changing all domains from single domain certificates to wildcard certificates and in 2 out of 30 domains, the issue CAA record was needed.

Thank you for your reply. Forgot to thank you in my new post. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.