Renewing certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: PLESK 18.0.24

It produced this output: Let’s Encrypt-SSL/TLS-Zertifikat konnte nicht ausgestellt werden für .

Invalid response from


Type: urn:ietf:params:acme:error:caa

Status: 403

Detail: Error finalizing order :: While processing CAA for CAA record for prevents issuance

My web server is (include version):

The operating system my web server runs on is (include version): ‪Debian 9.12‬

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

These are your current CAA records:	7200	IN	CAA	0 issue ";"	7200	IN	CAA	0 issuewild ""

If I interpret the records correctly, it only allows wildcard certificates from Let’s Encrypt and no non-wildcard certificates, no matter what CA.

If you use, I’m getting the following CAA record when ticking both Non-Wildcard and Wildcard certificate: CAA 0 issue ""


What do I have to change in the zonefile?

My current:
@ IN CAA 0 issue “;”
@ IN CAA 0 issue “

Hi @benjaminkramer

remove the first row. The first row blocks.

If you have only the second row, only Letsencrypt is allowed to create certificates.

Thanks for your help :slight_smile: Now it works perfectly:)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.