Error while creating certificate with win-acme: "CAA record for <site> prevents issuance"

Hi! Here’s what I tried so far

My domain is:

I ran this command:
M: Create certificate (full options)
2: Manual input
[http-01] Save verification files on (network) path

It produced this output:
type: urn:ietf:params:acme:error:caa
Detail: “CAA record for prevents issuance”

My web server is (include version):
IIS 10.0.17763.1

The operating system my web server runs on is (include version):
Windows Server 2019 Datacenter

My hosting provider, if applicable, is:
Self managed AWS EC2 server

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Additional info:
Checked my domain at
And no CAA entry was found for the subdomain I’m trying to certificate.

Hi @trifas

that’s correct. But that doesn’t help:

Domainname flag Name Value ∑ Queries ∑ Timeout 0 no CAA entry found 1 0 5 issue 1 0
5 issue 1 0
9 issuewild 1 0
5 issue 1 0
5 issue 1 0 0 no CAA entry found 1 0
br 0 no CAA entry found 1 0

If your subdomain hasn’t an own CAA, the next parent domains are checked.

But has CAA, is missing -> so you can’t create a Letsencrypt certificate.

If possible, add a CAA entry with your subdomain.

Or check, if it is possible to add a CAA with on


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.