sfw/fix
CAA MISMATCH high

CAA record blocks SSL certificate issuance

A DNS CAA record authorizes only specific Certificate Authorities, so the CA you're using is refused and certificate issuance fails.

What you see

CAA record for example.com prevents issuance

Error finalizing order :: Error creating new order :: CAA record for example.com prevents issuance

What’s actually happening

Certificate issuance or renewal fails during domain validation, even though the DNS challenge or HTTP challenge itself passes. Let's Encrypt / ACME logs say the CAA record prevents issuance. The site keeps serving its old cert until it expires, then visitors hit a full HTTPS interstitial. This bites hardest when you switch CDNs or cert providers and the old CAA record still names only the previous CA.

Common causes

  • A CAA record lists a different CA (e.g. only `digicert.com`) while you're requesting from Let's Encrypt
  • You moved to a new host/CDN whose CA isn't in the existing CAA set
  • The CAA `issuewild` tag blocks a wildcard cert even though `issue` would allow it
  • CAA record is published at a parent domain and inherited by the subdomain you're validating
  • Typo in the CA domain (e.g. `letsencrypt.com` instead of `letsencrypt.org`) so no CA matches

How to fix it

  1. Read the current CAA recordRun `dig example.com CAA +short` (and check the parent domain too — CAA is inherited up the tree). You'll see entries like `0 issue "digicert.com"`. If your CA isn't listed, that's the block.
  2. Add your CA's identifier to the recordFor Let's Encrypt add `0 issue "letsencrypt.org"`. For AWS ACM add `0 issue "amazon.com"`; Google add `0 issue "pki.goog"`; Cloudflare's universal SSL uses several — check the provider's docs for the exact issuer domain. You can list multiple CAs with multiple issue records.
  3. Handle wildcards with issuewildIf you need a wildcard cert, the CA must be allowed via `0 issuewild "letsencrypt.org"` specifically. A plain `issue` record does not cover wildcard issuance — this is a separate, easy-to-miss tag.
  4. Wait out the TTL, then retryCAA is checked live by the CA at issuance time, but it reads through the DNS chain and respects TTLs. After editing, wait for the old record's TTL to expire, confirm with `dig`, then re-run your ACME client or click renew.
  5. If unsure, remove CAA entirely as a fallbackNo CAA record means any publicly-trusted CA may issue — the pre-2017 default. It's less strict but unblocks issuance immediately while you sort out the correct issuer list.

Stop it recurring

When migrating CDN, host, or cert provider, update CAA before the cutover so the new CA can issue, and include both old and new issuers during the transition.

Related errors

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.

SERVFAIL DNS Response Code

high

The resolver tried to answer but couldn't get a valid response, usually from broken authoritative DNS or DNSSEC.

NXDOMAIN (Non-Existent Domain)

medium

An authoritative nameserver confirms the queried name simply does not exist in its zone.