CCA Error when renewing Netlify Lets Encrypt SSL Certificate

I am having an issue implementing CAA records. The domains in question i want to limit the CAA to Lets encrypt however if i do this then netlify is unable to renew SSL certificates.

If I remove the record it renews the certificate.

Name Type Value CAA 0 issue “;”
0 issuewild “
0 iodef “

This is the record am i missing something does Netlify need to be added?

Hey @lycaon-security

I cannot comment on the CAA record, however I can see isn’t configured per the Configure external DNS for a custom domain documentation. The secord record here ( will cause issues here. Only the A record pointing to should exist.

% dig		3600	IN	A		3600	IN	A

Having a non-Netlify IP address like this will cause issues with provision/renewal of SSL certificates.

Hi @lycaon-security,

For CAA, your iodef property is correct.

However, issuewild will be ignored when processing a TLS certificate request which is not a wildcard domain. In that case, it will fall to your issue property which prohibit any CA from issuing TLS cert for your domain.

So, Let’s Encrypt will be able to issue a certificate for * or * but nothing else. It won’t be able to issue a cert for or

I personally have been running my domain with only 0 issue "" and the iodef property and it would work just fine.

@coelmay Thanks for this

Im a little confused by your comment as the subdomain www record is configured as a CNAME per the document you liked to that is correct

The Apex domain is a ANAME but will return as A but this is also correct if I’m missing something please let me know

lycaonsec is the primary domain not www

My apologies @lycaon-security, your setup is correct—my information was not :sob:

Going back to your original post, if you add the CAA record, SSL certificate generation stops working. I suspect @luke might best know what the issue here.

Hey @lycaon-security,

I’m not sure what the status of this thread is. You appear to have 0 issue "" as your CAA record and you also seem to have got the SSL. Is this resolved or do you need something specific?