There is a website that is served through Akamai and when the Certificate was getting renewed, there was one domain in a SAN which showed as Validation pending in Akamai Certificate Portal.
We took the DNS token in the portal and updated it on the DNS server. And when we checked the Akamai portal again the token changed. We went ahead and updated the DNS TXT record and the same problem repeated. This happened like 4 times in very short duration.
On gettting on a call with the Akamai Support, the issue was identified as CAA record incorrectly updated, no LetsEncrypt mentioned there, there was another CA’s name. We changed and the issue got resolved.
The question here is normally if such scenario occurs I think i remember there will be a error saying " CAA record for example.com prevents issuance" something like that. But not sure if the process changed on your end.
Just want to clarify if CAA record can cause this kind of issue where a new token is generated always if the CAA validation failed or if there is any other reason for this weird behavior.
As Certificate issues can cause DoS situation, would really appreciate if we can get response a little sooner.