Problem: How to setup DNS CAA


My records is: 0 issue ; 0 issuewild 0 iodef

But always return the error:

acme: error: 403 :: urn: ietf: params: acme: error: caa :: CAA record for prevents issuance

I checked in and there it shows ok:

Can someone help me?
Thank You.

Hi @douglasoliveiraadv, welcome to the community forum :wave:

What ACME client are you using? Can you share the command/configuration?

(As a note: it would be easier to debug this if you shared your real domain name)

One thing I notice about this policy is that it would forbid issuance for the base domain. It's typical when requesting a wildcard certificate to request both * and since the former won't cover the later. If you are doing that with this CAA policy the validation for will fail because there is no issue allowing Let's Encrypt, just an issuewild which is not considered for this case because RFC 6844 says:

issuewild properties MUST be ignored when processing a request for a domain that is not a wildcard domain.

Hello! Many thanks for the quick reply!

I’m using traefik (docker).

My domain is

I need https at *

Thank you again! isn’t a wildcard hostname. Therefore, without an issue tag for, your CAA record will refuse certificates with this hostname, as @cpu already explained.

1 Like

Can you update your DNS zone so that instead of: 0 issue β€œ;”

It has: 0 issue β€œ”

and then see if you still get a CAA policy error when using Traefik to issue certificates for the domain.

Hi @douglasoliveiraadv

now your CAA entries are ok:

8. CAA - Entries

Domainname flag Name Value βˆ‘ Queries βˆ‘ Timeout 0 no CAA entry found 1 0 0 no CAA entry found 1 0 5 issue 1 0
5 iodef 1 0
5 issue 1 0
9 issuewild 1 0 0 no CAA entry found 1 0

Supports traefik a manual option? There are no TXT entries visible.

You should create one certificate with *, so you need two entries with

as domain name and different values.


Thank you all for your help.
You guys are very fast!

@JuergenAuer But I did not quite understand your instructions.

Do I need one or two more records?

Should I generate the certificate manually?
How should these records be?

From what I saw of traefik, he himself generates the necessary certificate. I got error in the traefik log file

Thank you!

Now everything is ok. Thank you!


Glad to hear it! Thanks for reporting back :slight_smile:

The typical wildcard certificate has * and as domain names and uses dns-01 validation with both domain names. So you have to create two txt entries.

I don’t know the options of traefik. And an automatic script requires that you manage your own dns server or your dns provider supports an API you can use.

But happy to read that it had worked :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.