Multiple CAA Records -> Not working

If you have multiple CAA Records due to other providers like DigiCert, Comodo and Letsencrypt.org the certbot from Letsencrypt will give you that error message:

Detail: CAA record for shop.icuserver.com prevents issuance

in my opinion this should work because you can have multiple CAA records due to RFC
https://tools.ietf.org/html/rfc6844 -> Section 3

kind regards
Sebastian Fessl

1 Like

Can we see your CAA record set? Your domain doesn’t have any at the moment.

As long as one of the CAA records is permissive of letsencrypt.org, it shouldn’t matter how many you have.

1 Like

Hi @itseasy3133

that’s simple, see your check, ~~80 minutes old - https://check-your-website.server-daten.de/?q=shop.icuserver.com#caa

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
shop.icuserver.com 0 no CAA entry found 1 0
icuserver.com 5 issue comodoca.com 1 0
5 issue Letsencrypt.org 1 0
com 0 no CAA entry found 1 0

Letsencrypt.org is wrong, must be letsencrypt.org.

Small difference, but important :wink:

2 Likes