"CAA record for example.com prevents issuance" (SSL)

What’s actually happening

Issuing or renewing a cert fails at the validation step with a CAA error — certbot/ACME logs "CAA record for example.com prevents issuance" or "CAAIssuanceNotAllowed." DNS and HTTP-01/DNS-01 challenges may pass, then it dies right before issuance. The cert never gets created, so nothing is wrong with your web server config; the block is in DNS policy.

Common causes

• A CAA record exists naming a different CA (e.g. only "digicert.com" or "sectigo.com") and not letsencrypt.org, so Let's Encrypt is forbidden.
• You're requesting a wildcard but only an issue record exists; without a matching issuewild, some setups refuse the wildcard.
• The CAA record is set on a parent/apex domain and inherited by the subdomain you're trying to cover.
• A typo in the CA identifier ("letsencrypt.com" instead of "letsencrypt.org") so no authorized CA actually matches.
• CAA checked against the wrong DNS — DNSSEC or a stale resolver returning an old record the CA still honors.

How to fix it

1. See the actual CAA recordsQuery directly: dig CAA example.com +short (and check the apex and any parent). Note every issue / issuewild value. If output is empty, any CA may issue — your problem is elsewhere; if it lists CAs, confirm whether yours is in there.
2. Add your CA to the CAA setFor Let's Encrypt add: example.com. CAA 0 issue "letsencrypt.org". For a wildcard cert also add: example.com. CAA 0 issuewild "letsencrypt.org". Keep any existing legitimate CA entries — CAA is additive, multiple issue records are allowed.
3. Or remove the conflicting recordIf the CAA record was added by mistake and you don't need CA pinning, delete it. With no CAA record present, every CA is permitted to issue.
4. Wait for DNS, then re-runRespect the record's TTL before retrying — CAs query live DNS at issuance. Then rerun certbot renew (or your issuance command) and watch the log clear the CAA check.