Failing to use accounturi in production

I have tried to add accounturi to CAA record of the domain: has CAA record 0 issue "; accounturi="

However certbot failed to renew the certificate. If I remove accounturi the renewal starts to work again.

I see CAA accounturi attribute support was enabled several days ago: Enabling ACME CAA Account and Method Binding — was it backed off? Or am I using wrong syntax of accounturi parameter?

My domain is:

I ran this command: certbot renew --force-renewal --dry-run --cert-name ( is included in the set of domains to renew).

It produced this output:

Simulating renewal of an existing certificate for and 5 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Type:   caa
  Detail: CAA record for prevents issuance

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

Dry run does not require a forced renewal, please remove the --force-renewal option.


As dry-run runs though staging server, shouldn't accounturi pointed to staging account to work in dry run?
not sure syntaxes for mulitple uri for acme-caa


Probably need to include a second CAA RR for the staging account URI indeed.


Exactly, staging needs a different CAA record because it's a different account.

CAA records are "OR", so a different CAA record which allows your staging account should do the trick. Within the same record the conditions are "and".


Indeed. I wasn't aware that dry-runs run through staging. Thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.