Status 403: CAA record prevents issuance

Hi All,
I'm having trouble getting a LE cert. I have added a CAA records to LE to issue a wildcard cert.
But I get the error "CAA record for prevents issuance".

Can some one please point me in the right direction to troubleshoot ?

Cerbot logs when failing -

[Tue Nov 10 16:52:12 GMT 2020] code='200'
[Tue Nov 10 16:52:12 GMT 2020] original='{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:caa",
"detail": "CAA record for prevents issuance",
"status": 403
"url": "",
"validationRecord": [
"hostname": ""


I'm not that familiar with CAA, but the hostname for which the error is, isn't a wildcard hostname. I'm guessing you'll need to set both issue as wel as issuewild. tells me for a non-wildcard and wildcard cert you just set issue without setting issuewild.

OK, so if I understand the RFC correctly, the issue property is valid for any label, but the issuewild is only valid for wildcard domains. Therefore, any wildcard certificate also containing a regular hostname, would require a valid issue property, as the issuewild wouldn't cover it.


Brilliant !!!.
That cleared the issue.
I changed my caa to CAA 0 issue ""

Thanks a lot for your help.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.