I ran this command: "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --ecc --debug
Logs:
v2.8.0
[Thu Aug 16 14:47:11 EDT 2018] ===Starting cron===
[Thu Aug 16 14:47:11 EDT 2018] Renew: 'example.com'
[Thu Aug 16 14:47:13 EDT 2018] Multi domain='DNS:example.com,DNS:.example.com'
[Thu Aug 16 14:47:13 EDT 2018] Getting domain auth token for each domain
[Thu Aug 16 14:47:16 EDT 2018] Getting webroot for domain='example.com'
[Thu Aug 16 14:47:16 EDT 2018] Getting webroot for domain='.example.com'
[Thu Aug 16 14:47:16 EDT 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Thu Aug 16 14:47:17 EDT 2018] Adding record
[Thu Aug 16 14:47:18 EDT 2018] Added, OK
[Thu Aug 16 14:47:18 EDT 2018] Sleep 120 seconds for the txt records to take effect
[Thu Aug 16 14:49:18 EDT 2018] example.com is already verified, skip dns-01.
[Thu Aug 16 14:49:18 EDT 2018] Verifying:.example.com
[Thu Aug 16 14:49:22 EDT 2018] Removing DNS records.
[Thu Aug 16 14:49:26 EDT 2018] Renew: 'example.com'
[Thu Aug 16 14:49:27 EDT 2018] Multi domain='DNS:example.com,DNS:.example.com'
[Thu Aug 16 14:49:27 EDT 2018] Getting domain auth token for each domain
[Thu Aug 16 14:49:31 EDT 2018] Getting webroot for domain='example.com'
[Thu Aug 16 14:49:31 EDT 2018] Getting webroot for domain='.example.com'
[Thu Aug 16 14:49:31 EDT 2018] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[Thu Aug 16 14:49:32 EDT 2018] Adding record
[Thu Aug 16 14:49:33 EDT 2018] Added, OK
[Thu Aug 16 14:49:33 EDT 2018] Sleep 120 seconds for the txt records to take effect
[Thu Aug 16 14:51:33 EDT 2018] example.com is already verified, skip dns-01.
[Thu Aug 16 14:51:33 EDT 2018] Verifying:.example.com
[Thu Aug 16 14:51:37 EDT 2018] Removing DNS records.
[Thu Aug 16 14:51:41 EDT 2018] ===End cron===
Debug:
[Thu Aug 16 14:49:27 EDT 2018] _currentRoot='dns_cf'
[Thu Aug 16 14:49:27 EDT 2018] d
[Thu Aug 16 14:49:27 EDT 2018] _saved_account_key_hash is not changed, skip register account.
[Thu Aug 16 14:49:27 EDT 2018] Read key length:ec-256
[Thu Aug 16 14:49:27 EDT 2018] createcsr
[Thu Aug 16 14:49:27 EDT 2018] d='*.example._com'
[Thu Aug 16 14:49:27 EDT 2018] d
[Thu Aug 16 14:49:27 EDT 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Aug 16 14:49:27 EDT 2018] payload='{"identifiers": [{"type":"dns","value":"example.com"},{"type":"dns","value":"*.example._com"}]}'
[Thu Aug 16 14:49:27 EDT 2018] RSA key
[Thu Aug 16 14:49:27 EDT 2018] HEAD
[Thu Aug 16 14:49:27 EDT 2018] _post_url='https://acme-v02.api.letsencrypt._org/acme/new-nonce'
[Thu Aug 16 14:49:28 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:28 EDT 2018] _ret='0'
[Thu Aug 16 14:49:28 EDT 2018] POST
[Thu Aug 16 14:49:28 EDT 2018] _post_url='https://acme-v02.api.letsencrypt._org/acme/new-order'
[Thu Aug 16 14:49:28 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:29 EDT 2018] _ret='0'
[Thu Aug 16 14:49:29 EDT 2018] code='201'
[Thu Aug 16 14:49:29 EDT 2018] Le_OrderFinalize='https://acme-v02.api.letsencrypt._org/acme/finalize/35174842/39923309'
[Thu Aug 16 14:49:29 EDT 2018] GET
[Thu Aug 16 14:49:29 EDT 2018] url='https://acme-v02.api.letsencrypt._org/acme/authz/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c'
[Thu Aug 16 14:49:29 EDT 2018] timeout=
[Thu Aug 16 14:49:29 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:30 EDT 2018] ret='0'
[Thu Aug 16 14:49:30 EDT 2018] GET
[Thu Aug 16 14:49:30 EDT 2018] url='https://acme-v02.api.letsencrypt._org/acme/authz/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw'
[Thu Aug 16 14:49:30 EDT 2018] timeout=
[Thu Aug 16 14:49:30 EDT 2018] CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:30 EDT 2018] ret='0'
[Thu Aug 16 14:49:31 EDT 2018] d='example._com'
[Thu Aug 16 14:49:31 EDT 2018] _w='dns_cf'
[Thu Aug 16 14:49:31 EDT 2018] _currentRoot='dns_cf'
[Thu Aug 16 14:49:31 EDT 2018] entry='"type":"dns-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c/6515051652","token":"9kLUAahwgOqs1iTgGdHGGcguO3wzS3hBOHXDmY6UDyo","validationRecord":[{"hostname":"example._com"'
[Thu Aug 16 14:49:31 EDT 2018] token='9kLUAahwgOqs1iTgGdHGGcguO3wzS3hBOHXDmY6UDyo'
[Thu Aug 16 14:49:31 EDT 2018] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c/6515051652'
[Thu Aug 16 14:49:31 EDT 2018] keyauthorization='9kLUAahwgOqs1iTgGdHGGcguO3wzS3hBOHXDmY6UDyo.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs'
[Thu Aug 16 14:49:31 EDT 2018] example.com is already verified.
[Thu Aug 16 14:49:31 EDT 2018] keyauthorization='verified_ok'
[Thu Aug 16 14:49:31 EDT 2018] dvlist='example._com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c/6515051652#dns-01#dns_cf'
[Thu Aug 16 14:49:31 EDT 2018] d='*.example._com'
[Thu Aug 16 14:49:31 EDT 2018] _w='dns_cf'
[Thu Aug 16 14:49:31 EDT 2018] _currentRoot='dns_cf'
[Thu Aug 16 14:49:31 EDT 2018] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974","token":"hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0"'
[Thu Aug 16 14:49:31 EDT 2018] token='hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0'
[Thu Aug 16 14:49:31 EDT 2018] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:49:31 EDT 2018] keyauthorization='hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs'
[Thu Aug 16 14:49:31 EDT 2018] dvlist='*.example._com#hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs#https://acme-v02.api.letsencrypt.org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974#dns-01#dns_cf'
[Thu Aug 16 14:49:31 EDT 2018] d
[Thu Aug 16 14:49:31 EDT 2018] vlist='example._com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/challenge/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c/6515051652#dns-01#dns_cf,*.example._com#hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs#https://acme-v02.api.letsencrypt.org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974#dns-01#dns_cf,'
[Thu Aug 16 14:49:31 EDT 2018] d='example.com'
[Thu Aug 16 14:49:31 EDT 2018] example.com is already verified, skip dns-01.
[Thu Aug 16 14:49:31 EDT 2018] d='*.example._com'
[Thu Aug 16 14:49:31 EDT 2018] _d_alias
[Thu Aug 16 14:49:31 EDT 2018] txtdomain='acme-challenge.example.com'
[Thu Aug 16 14:49:31 EDT 2018] txt='izOxoD_gMB2iHZ-qUapvsBXPHUCBrpqCVvlfo0y4Bjs'
[Thu Aug 16 14:49:31 EDT 2018] d_api='/root/.acme.sh/dnsapi/dns_cf.sh'
[Thu Aug 16 14:49:31 EDT 2018] First detect the root zone
[Thu Aug 16 14:49:31 EDT 2018] h='example.com'
[Thu Aug 16 14:49:31 EDT 2018] zones?name=example.com
[Thu Aug 16 14:49:31 EDT 2018] GET
[Thu Aug 16 14:49:31 EDT 2018] url='https://api.cloudflare.com/client/v4/zones?name=example._com'
[Thu Aug 16 14:49:31 EDT 2018] timeout=
[Thu Aug 16 14:49:31 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:31 EDT 2018] ret='0'
[Thu Aug 16 14:49:31 EDT 2018] _domain_id='38f6a49fc3801922c77f2603eed9b93c'
[Thu Aug 16 14:49:31 EDT 2018] _sub_domain='_acme-challenge'
[Thu Aug 16 14:49:31 EDT 2018] domain='example._com'
[Thu Aug 16 14:49:31 EDT 2018] Getting txt records
[Thu Aug 16 14:49:31 EDT 2018] zones/38f6a49fc3801922c77f2603eed9b93c/dns_records?type=TXT&name=acme-challenge.example.com
[Thu Aug 16 14:49:31 EDT 2018] GET
[Thu Aug 16 14:49:31 EDT 2018] url='https://api.cloudflare._com/client/v4/zones/38f6a49fc3801922c77f2603eed9b93c/dns_records?type=TXT&name=acme-challenge.example._com'
[Thu Aug 16 14:49:31 EDT 2018] timeout=
[Thu Aug 16 14:49:31 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:32 EDT 2018] ret='0'
[Thu Aug 16 14:49:32 EDT 2018] zones/38f6a49fc3801922c77f2603eed9b93c/dns_records
[Thu Aug 16 14:49:32 EDT 2018] data='{"type":"TXT","name":"acme-challenge.example._com","content":"izOxoD_gMB2iHZ-qUapvsBXPHUCBrpqCVvlfo0y4Bjs","ttl":120}'
[Thu Aug 16 14:49:32 EDT 2018] POST
[Thu Aug 16 14:49:32 EDT 2018] post_url='https://api.cloudflare._com/client/v4/zones/38f6a49fc3801922c77f2603eed9b93c/dns_records'
[Thu Aug 16 14:49:32 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:49:33 EDT 2018] ret='0'
[Thu Aug 16 14:51:33 EDT 2018] ok, let's start to verify
[Thu Aug 16 14:51:33 EDT 2018] d='*.example._com'
[Thu Aug 16 14:51:33 EDT 2018] keyauthorization='hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs'
[Thu Aug 16 14:51:33 EDT 2018] uri='https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:51:33 EDT 2018] _currentRoot='dns_cf'
[Thu Aug 16 14:51:33 EDT 2018] url='https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:51:33 EDT 2018] payload='{"keyAuthorization": "hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs"}'
[Thu Aug 16 14:51:33 EDT 2018] POST
[Thu Aug 16 14:51:33 EDT 2018] _post_url='https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:51:33 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:34 EDT 2018] _ret='0'
[Thu Aug 16 14:51:34 EDT 2018] code='200'
[Thu Aug 16 14:51:34 EDT 2018] trigger validation code: 200
[Thu Aug 16 14:51:34 EDT 2018] sleep 2 secs to verify
[Thu Aug 16 14:51:36 EDT 2018] checking
[Thu Aug 16 14:51:36 EDT 2018] GET
[Thu Aug 16 14:51:36 EDT 2018] url='https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:51:36 EDT 2018] timeout=
[Thu Aug 16 14:51:36 EDT 2018] CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:37 EDT 2018] ret='0'
[Thu Aug 16 14:51:37 EDT 2018] *.example.com:Verify error:CAA record for *.example._com prevents issuance
[Thu Aug 16 14:51:37 EDT 2018] Skip for removelevel:
[Thu Aug 16 14:51:37 EDT 2018] pid
[Thu Aug 16 14:51:37 EDT 2018] No need to restore nginx, skip.
[Thu Aug 16 14:51:37 EDT 2018] _clearupdns
[Thu Aug 16 14:51:37 EDT 2018] txt='Sxr4udfrjS53jROI3xYPkGLWZF2C06WyVZe-KiWSwM'
[Thu Aug 16 14:51:37 EDT 2018] example._com is already verified, skip dns-01.
[Thu Aug 16 14:51:37 EDT 2018] txt='izOxoD_gMB2iHZ-qUapvsBXPHUCBrpqCVvlfo0y4Bjs'
[Thu Aug 16 14:51:37 EDT 2018] d_api='/root/.acme.sh/dnsapi/dns_cf.sh'
[Thu Aug 16 14:51:37 EDT 2018] d_alias
[Thu Aug 16 14:51:37 EDT 2018] First detect the root zone
[Thu Aug 16 14:51:37 EDT 2018] h='example.com'
[Thu Aug 16 14:51:37 EDT 2018] zones?name=example.com
[Thu Aug 16 14:51:37 EDT 2018] GET
[Thu Aug 16 14:51:37 EDT 2018] url='https://api.cloudflare.com/client/v4/zones?name=example._com'
[Thu Aug 16 14:51:37 EDT 2018] timeout=
[Thu Aug 16 14:51:37 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:38 EDT 2018] ret='0'
[Thu Aug 16 14:51:38 EDT 2018] _domain_id='38f6a49fc3801922c77f2603eed9b93c'
[Thu Aug 16 14:51:38 EDT 2018] _sub_domain='_acme-challenge'
[Thu Aug 16 14:51:38 EDT 2018] domain='example._com'
[Thu Aug 16 14:51:38 EDT 2018] Getting txt records
[Thu Aug 16 14:51:38 EDT 2018] zones/38f6a49fc3801922c77f2603eed9b93c/dns_records?type=TXT&name=acme-challenge.example.com&content=izOxoD_gMB2iHZ-qUapvsBXPHUCBrpqCVvlfo0y4Bjs
[Thu Aug 16 14:51:38 EDT 2018] GET
[Thu Aug 16 14:51:38 EDT 2018] url='https://api.cloudflare._com/client/v4/zones/38f6a49fc3801922c77f2603eed9b93c/dns_records?type=TXT&name=acme-challenge.example._com&content=izOxoD_gMB2iHZ-qUapvsBXPHUCBrpqCVvlfo0y4Bjs'
[Thu Aug 16 14:51:38 EDT 2018] timeout=
[Thu Aug 16 14:51:38 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:38 EDT 2018] ret='0'
[Thu Aug 16 14:51:38 EDT 2018] count='1'
[Thu Aug 16 14:51:38 EDT 2018] record_id='0294668b447af0336e72c3e06cua7b95'
[Thu Aug 16 14:51:38 EDT 2018] zones/38f6a49fc3801922c77f2603eed9b93c/dns_records/0294668b447af0336e72c3e06cua7b95
[Thu Aug 16 14:51:38 EDT 2018] data
[Thu Aug 16 14:51:38 EDT 2018] DELETE
[Thu Aug 16 14:51:38 EDT 2018] post_url='https://api.cloudflare._com/client/v4/zones/38f6a49fc3801922c77f2603eed9b93c/dns_records/0294668b447af0336e72c3e06cua7b95'
[Thu Aug 16 14:51:38 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:39 EDT 2018] _ret='0'
[Thu Aug 16 14:51:39 EDT 2018] _on_issue_err
[Thu Aug 16 14:51:39 EDT 2018] Please add '--debug' or '--log' to check more details.
[Thu Aug 16 14:51:39 EDT 2018] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
[Thu Aug 16 14:51:39 EDT 2018] url='https://acme-v02.api.letsencrypt._org/acme/challenge/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c/6515051652'
[Thu Aug 16 14:51:39 EDT 2018] payload='{"keyAuthorization": "verified_ok"}'
[Thu Aug 16 14:51:39 EDT 2018] POST
[Thu Aug 16 14:51:39 EDT 2018] _post_url='https://acme-v02.api.letsencrypt._org/acme/challenge/FeZYA5w0IU4lingti8jCOXNx5517wZd-EPj_lIYPk9c/6515051652'
[Thu Aug 16 14:51:39 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:40 EDT 2018] _ret='0'
[Thu Aug 16 14:51:40 EDT 2018] code='200'
[Thu Aug 16 14:51:40 EDT 2018] url='https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:51:40 EDT 2018] payload='{"keyAuthorization": "hdTj0d_Ay1_Y946Sh7YkqDgpm3omc821ApkiIgEPoe0.d1E_QCux882jc_fHb7saPJeN9s4P7j3YybtknbYDMBs"}'
[Thu Aug 16 14:51:40 EDT 2018] POST
[Thu Aug 16 14:51:40 EDT 2018] _post_url='https://acme-v02.api.letsencrypt._org/acme/challenge/DAC7WfNrKAtyN1m2XcCa0MYMsyP57NBKtpCz9qYARaw/6532039974'
[Thu Aug 16 14:51:40 EDT 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 16 14:51:41 EDT 2018] ret='0'
[Thu Aug 16 14:51:41 EDT 2018] code='400'
[Thu Aug 16 14:51:41 EDT 2018] socat doesn't exists.
[Thu Aug 16 14:51:41 EDT 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g 1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads
socat:
[Thu Aug 16 14:51:41 EDT 2018] Return code: 1
[Thu Aug 16 14:51:41 EDT 2018] Error renew example._com_ecc.
Yes, that shows the issue. You don’t have an issuewild allowing Let’s Encrypt to issue wildcard certificates. Only Comodo, DigiCert, and GlobalSign can issue wildcards for this domain.
You need to add a CAA record allowing Let’s Encrypt to issue wildcard certificates for your domain name. You have one that allows it to issue non-wildcards:
unnecessarilyredacted.club. 299 IN CAA 0 issue "letsencrypt.org"
You do not have one that allows issuance for wildcard certificates. That’s what the issuewild records specify. If you want Let’s Encrypt to be able to issue wildcard certificates, you need to add an issuewild "letsencrypt.org" CAA record as well.
Additional: The issuewild property is a little bit tricky.
If there is only an issue - Property, then wildcard certificates are allowed.
But if there is at least one issuewild property, then the issue property must be ignored, if the certificate is a wildcard certificate.
If at least one issuewild property is specified in the relevant CAA record set, all issue properties MUST be ignored when processing a request for a domain that is a wildcard domain.