Hi,
My records is:
my-domain.com.br. 0 issue ;
my-domain.com.br. 0 issuewild letsencrypt.org
my-domain.com.br. 0 iodef mailto:my-email@my-domain.com.br
But always return the error:
acme: error: 403 :: urn: ietf: params: acme: error: caa :: CAA record for teste.winserver2019.my-domain.com.br prevents issuance
I checked in https://dnsspy.io/labs/caa-validator and there it shows ok: https://i.imgur.com/bZbN8oJ.png
Can someone help me?
Thank You.
Hi @douglasoliveiraadv, welcome to the community forum 
What ACME client are you using? Can you share the command/configuration?
(As a note: it would be easier to debug this if you shared your real domain name)
One thing I notice about this policy is that it would forbid issuance for the base domain. It's typical when requesting a wildcard certificate to request both *.example.com and example.com since the former won't cover the later. If you are doing that with this CAA policy the validation for example.com will fail because there is no issue allowing Let's Encrypt, just an issuewild which is not considered for this case because RFC 6844 says:
issuewild properties MUST be ignored when processing a request for a domain that is not a wildcard domain.
Hello! Many thanks for the quick reply!
Iām using traefik (docker).
My domain is mvarandas.com.br.
I need https at *.winserver2019.mvarandas.com.br
Thank you again!
teste.winserver2019.my-domain.com.br isn't a wildcard hostname. Therefore, without an issue tag for letsencrypt.org, your CAA record will refuse certificates with this hostname, as @cpu already explained.
Can you update your DNS zone so that instead of:
my-domain.com.br. 0 issue ";"
It has:
my-domain.com.br. 0 issue "letsencrypt.org"
and then see if you still get a CAA policy error when using Traefik to issue certificates for the domain.
now your CAA entries are ok:
| Domainname | flag | Name | Value | ā Queries | ā Timeout |
|---|---|---|---|---|---|
| www.winserver2019.mvarandas.com.br | 0 | no CAA entry found | 1 | 0 | |
| winserver2019.mvarandas.com.br | 0 | no CAA entry found | 1 | 0 | |
| mvarandas.com.br | 5 | issue | comodoca.com | 1 | 0 |
| 5 | iodef | douglas@mvarandas.com.br | 1 | 0 | |
| 5 | issue | letsencrypt.org | 1 | 0 | |
| 9 | issuewild | letsencrypt.org | 1 | 0 | |
| com.br | 0 | no CAA entry found | 1 | 0 |
Supports traefik a manual option? There are no TXT entries visible.
You should create one certificate with *.winserver2019.mvarandas.com.br winserver2019.mvarandas.com.br, so you need two entries with
_acme-challenge.winserver2019.mvarandas.com.br
as domain name and different values.
Thank you all for your help.
You guys are very fast!
@JuergenAuer But I did not quite understand your instructions.
Do I need one or two more records?
Should I generate the certificate manually?
How should these records be?
From what I saw of traefik, he himself generates the necessary certificate. I got error in the traefik log file
Thank you!
Now everything is ok. Thank you!
Glad to hear it! Thanks for reporting back 
The typical wildcard certificate has *.example.com and example.com as domain names and uses dns-01 validation with both domain names. So you have to create two txt entries.
I don't know the options of traefik. And an automatic script requires that you manage your own dns server or your dns provider supports an API you can use.
But happy to read that it had worked 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.