Help Center Troubleshoot

Troubleshoot: Invalid CAA Records

CAA records are DNS records attached to domains that specify precisely which certificate authorities are allowed to issue certificates for your domain. If your domain does not carry any CAA records, our systems will not have a problem issuing your certificate. If, however, your domain has CAA records on file but none for sectigo.com as an allowed certificate authority, our system will not be able to issue your certificate.

Troubleshoot: Invalid CAA Records

If you are seeing the error message shown above, please take one of the following steps:

  • either: remove all CAA records from your domain(s)
  • or: add a new CAA record to your domain(s) with sectigo.com as value

Adding CAA Records

In order to add CAA records that will allow ZeroSSL to issue certificates for your domain, please log in to your domain or hosting provider, navigate to the DNS management section and add a set of CAA records as shown in the examples below.

Example #1:
Allow ZeroSSL certificates for site.com, including any subdomains as well as wildcards.

site.com. 3600 IN CAA 0 issue "sectigo.com"
site.com. 3600 IN CAA 0 issuewild "sectigo.com"

Example #2:
Allow ZeroSSL certificates for example.com, including any subdomains but not including wildcards.

site.com. 3600 IN CAA 0 issue "sectigo.com"
site.com. 3600 IN CAA 0 issuewild ";"

Example #3:
Allow ZeroSSL certificates for page.site.com only, not including the root domain, any subdomains as well as wildcards.

page.site.com. 3600 IN CAA 0 issue "sectigo.com"
site.com. 3600 IN CAA 0 issuewild ";"
site.com. 3600 IN CAA 0 issue ";"