En
Es
Description
The issuance of a Let's Encrypt (LE) SSL certificate for the platform fails with an error:
Error connecting a new SSL certificate. Repeat the certificate connection procedure.
This happens when a CAA (Certificate Authority Authorization) DNS record is active for the domain, prohibiting letsencrypt.org from issuing certificates.
A CAA record specifies which Certificate Authorities (CAs) are allowed to issue SSL certificates for the domain. All CAs not listed in the record are blocked.
Diagnostics
To confirm the cause of the problem, run the following command on the platform server:
host -t CAA domain.comExpected result: The record does not include letsencrypt.org. This confirms the cause of the error.
domain.com has CAA record 0 issue "comodoca.com"Solution
To allow certificate issuance, update the CAA record in your domain's DNS zone:
- Log in to your domain registrar's control panel.
- Modify or delete the CAA record:
- editing. Keep only one CAA record of the following type:
domain.com. 300 IN CAA 0 issue "letsencrypt.org"After this, only letsencrypt.org will be able to issue certificates for the domain;
- deletion. If you delete the CAA record, the restriction will be lifted. Any trusted Certificate Authority will be able to issue certificates.
- editing. Keep only one CAA record of the following type:
- Save the changes and wait for the DNS records to update (typically from a few minutes up to 24 hours).
- Retry the certificate issuance process.
Related topics: