Could not provision a Let’s Encrypt certificate for your custom domain

pixelart · February 14, 2022, 10:58am

Hi,

we are having problems deploying an SSL certificate for our custom domain myuntha-stage.px.at for the site untha-portal-2021-stage.

The verification step works without problems, but in the second step (Provision certificate), we are getting the error “We could not provision a Let’s Encrypt certificate for your custom domain.”

Our DNS configuration looks like this, we are using Route53 as our DNS Provider:

luke · February 15, 2022, 6:11am

Hi, @pixelart. The issue in this case is that there are CAA type DNS records blocking anyone but amazon.com from creating SSL certificates for this domain (or any of its subdomains):

myuntha-stage.px.at.	300	IN	CAA	0 issue "amazon.com"

You will need to delete or modify that CAA record above in order for Let’s Encrypt to be able to provision SSL certificate for this domain.

Let’s Encrypt as more documentation about this here:

This topic on the Let’s Encrypt support forums also has a great example of the required records:

If you have other questions or if you still cannot get an SSL certificate provisioned after updating the CAA record, please let us know.

Mitchela · February 15, 2022, 10:37am

I had an existing domain on Hover and used to run my website from a self-hosted Hetzner VPS. But during the past decade, the website and my server had become a mess. I wanted to start using a static site generator and to make deployment easier.

perry · February 15, 2022, 5:15pm

hi mitchela, this seems unrelated - and we’re probably best able to answer if we know the actual question would you mind starting a new thread with a bit more information so we can assist?

pixelart · February 25, 2022, 7:45am

Thank you that fixed it, our CAA record is now:

0 issue "amazon.com"
0 issue "letsencrypt.org"