Re-reading your original post, I think you have an outdated view of how Let's Encrypt implements CAA. You're describing the legacy RFC 6844 with tree-climbing on CNAMEs. We used that method for a couple of weeks, but we're now back to implementing the erratum 5065 variant, which doesn't tree-climb on CNAMEs. When was the last time you got this error?
Also, your example doesn't really make sense to me: If git.example.com
is a CNAME to gitserver.internal.example.com
, then looking up the TXT record for DNS validation will fail because 10.0.0.53 is unreachable. Could you please show your real domain names so we can help debug further? As a reminder, all domain names in your certificates wind up in the public CT logs (e.g. at https://crt.sh/).
Thanks,
Jaco