Error while creating certificate with win-acme: "CAA record for <site> prevents issuance"

Hi! Here’s what I tried so far

My domain is:
mananciais-hom.sabesp.com.br

I ran this command:
win-acme.v2.1.9.870.x64.pluggable>wacs.exe
M: Create certificate (full options)
2: Manual input
[http-01] Save verification files on (network) path

It produced this output:
type: urn:ietf:params:acme:error:caa
Detail: “CAA record for mananciais-hom.sabesp.com.br prevents issuance”

My web server is (include version):
IIS 10.0.17763.1

The operating system my web server runs on is (include version):
Windows Server 2019 Datacenter

My hosting provider, if applicable, is:
Self managed AWS EC2 server

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
win-acme.v2.1.9.870.x64.pluggable

Additional info:
Checked my domain at
https://check-your-website.server-daten.de/?q=mananciais-hom.sabesp.com.br#caa
And no CAA entry was found for the subdomain I’m trying to certificate.

Hi @trifas

that’s correct. But that doesn’t help:

Domainname flag Name Value ∑ Queries ∑ Timeout
mananciais-hom.sabesp.com.br 0 no CAA entry found 1 0
sabesp.com.br 5 issue globalsign.com 1 0
5 issue sectigo.com 1 0
9 issuewild sectigo.com 1 0
5 issue symantec.com 1 0
5 issue symantecoffer.com 1 0
com.br 0 no CAA entry found 1 0
br 0 no CAA entry found 1 0

If your subdomain hasn’t an own CAA, the next parent domains are checked.

But sabesp.com.br has CAA, letsencrypt.org is missing -> so you can’t create a Letsencrypt certificate.

If possible, add a CAA entry with your subdomain.

Or check, if it is possible to add a CAA with letsencrypt.org on sabesp.com.br.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.