Forbidden :: Domain is rejected due to CAA forbids issuance

Help
1

I was having some difficulty generating certificate with nginx proxy manager + cloudflare. Everytime I tried to generate certificate it promps my screen "Forbidden :: Domain is rejected due to CAA forbids issuance". While I already added let's encrypt as CAA to cloudflare but this error remains.

2

Well, it, uh, sounds like your CAA records forbids issuance. Can you, by any chance, share your domain name and current CAA policy?

1 Like
4

image
image623×228 17.4 KB

5

cannot share my domain but the above screenshot is my CAA policy

6

Your thread is more suitable for the Help section instead of the Issuance Policy category. I've moved the thread accordingly.

If you would have opened this thread in the Help section, you would have been provided with a questionnaire. Please fill out the questionnaire below to the best of your knowledge:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Without the actual FQDN that's failing it's hard for us to debug this. We can only recommend some generic stuff, e.g. what does (Let's Debug](https://letsdebug.net/) have to say and that kind of things.

2 Likes
7

Hi @kkool,

Please check with all the Authoritative Name Servers, plus a few other NS to make sure the CAA has propagated. Recently I had see that CAA message and then I over ran the Rate Limits - Let's Encrypt and the ACME Client I used had still given the CAA message. So a heads up that Error Messages can be wrong on what the issue actually is; thus turn on more debugging and verbosity to help.

2 Likes
8

Without knowing the exact name you are using in the request, we can only speculate. There are DNS idiosyncracies that could result in the relevant CAA records for a specific hostname not being the ones that you think they ought to be.

All hostnames are published in CT logs, so you aren't doing anything other than hinder those who are willing to help you.

3 Likes
9

I solved this issue now. (Removed some configuration) Just wondering how do I close this thread in this website?

1 Like
10

Check the greyed out check mark on the post you feel bests was the solution to the issue.
image

2 Likes