ServerRecords

Help & Troubleshooting

CAA Record

What this is

CAA records whitelist which certificate authorities may issue TLS certificates for the domain. CAs are required to check CAA before issuing; a CA not on the list must refuse.

How to read your result

No CAA record means any CA may issue (the pre-CAA default — common and acceptable). If records exist, make sure every CA you actually use is listed, including ones used indirectly by your CDN or hosting platform.

Common problems and how to fix them

CAA blocks the CA your automation uses

How it shows up: Certificate renewal suddenly fails — Let's Encrypt or your CDN reports a CAA error — and the site shows an expired-certificate warning once the old cert lapses.

How to fix it: Add an issue entry for the CA, e.g. 0 issue "letsencrypt.org", alongside existing entries. Remember platforms like Cloudflare or Netlify issue via their own CA partners — check their docs for which CAA entries they need.

CAA present on a subdomain's parent contradicts what the subdomain needs

How it shows up: Certificates issue fine for the main site but fail for a subdomain hosted on a different platform.

How to fix it: CAA is inherited from the closest ancestor that has one. Either extend the parent's CAA to include the subdomain's CA, or set a specific CAA record on the subdomain itself, which overrides the parent for that name.

Run a look up for this record