How do I resolve CAA errors for issuing or renewing an ACM certificate?

Last updated: 2020-04-15

I requested a new certificate or tried to renew a certificate with AWS Certificate Manager (ACM). The domain name status is "Failed", and I received an error similar to the following:

"Request failed. The status of this certificate is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error."

The validation status is "Success", even though the certificate request failed.

Short Description

A Certificate Authority Authorization (CAA) record is a DNS record that allows you to control which Certificate Authority (CA) can issue certificates for your domain or subdomain. When requesting or renewing an ACM certificate, ACM checks CAA records to verify if it's allowed for the following conditions:

  • CAA record checking climbs up DNS name tree
  • No CAA record means that any CA can issue certificates
  • CAA record checking follows CNAME record
  • The "issue" tag can be used for both non-wildcard domain and wildcard domain, while "issuewild" tag affects only the wildcard domain

Resolution

CAA record checking climbs up DNS name tree

CAA record checking starts at the request domain, and then climbs up in the DNS hierarchy tree. If you request a certificate for www.example.com, then ACM checks the CAA record for the third-level domain www.example.com first, followed by the second-level domain name example.com.

After the CAA record is found, the CAA lookup stops and the record takes effect. The following examples show which CAA record takes effect when you request a certificate for www.example.com:

(Example 1 / www.example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CAA           0      issue   "amazon.com"
example.com.   CAA           0      issue   "SomeCA.com"

(Result: CAA passed)

The record for the third-level domain name takes effect, which allows ACM to issue the certificate. The second-level domain name record is not used.

(Example 2 / www.example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CAA           0      issue   "SomeCA.com"
example.com.   CAA           0      issue   "amazon.com"

(Result: CAA failed)

The first record takes effect, which prevents ACM from issuing the certificate. The second record is ignored.

(Example 3 / www.example.com)
Domain   Record type  Flags  Tag      Value   
test.example.com.   CAA           0      issue   "SomeCA.com"
example.com.   CAA           0      issue   "amazon.com"

(Result: CAA passed)

The first record doesn't affect the CAA record for www.example.com. The second record takes effect, which allows ACM to issue the certificate.

The following examples shows which CAA record takes effect when you request a certificate for example.com:

(Example 4 / example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CAA           0      issue   "amazon.com"
example.com.   CAA           0      issue   "SomeCA.com"

(Result: CAA failed)

The first record isn't considered because www.example.com is a subdomain of the requested domain, and CAA record checking doesn't climb down the DNS tree. The second record takes effect, which prevents ACM from issuing the certificate.

(Example 5 / example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CAA           0      issue   "SomeCA.com"
example.com.   CAA           0      issue   "amazon.com"

(Result: CAA passed)

The first record is ignored because www.example.com is a subdomain of the requested domain, and CAA record checking doesn't climb down the DNS tree. The second record takes effect, which allows ACM to issue the certificate.

No CAA record means that any CA can issue certificates

If you don't configure a CAA record for the request domain, any CA including ACM is allowed to issue certificates for your domain. For example, ACM can issue certificates for example.com in the following example:

(Example 6 / example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CAA           0      issue   ";"

(Result: CAA passed)

Because CAA checking doesn't climb down the DNS tree, the record is ignored.

CAA record checking follows CNAME record

CAA record checking proceeds with the CNAME record pointing to a different domain. In this example, www.example.com points to www.example.net, which has a CAA record:

(Example 7 / www.example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CNAME www.example.net
www.example.net.   CAA           0      issue   ";"

(Result: CAA failed)

The first record diverts CAA checking to www.example.net. This CAA record prevents any CA from issuing certificates, and ACM can't issue certificates for www.example.com.

If the pointed domain (www.example.net) doesn't have a CAA record, CAA record checking climbs up to the base domain (example.net).

(Example 8 / www.example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CNAME www.example.net
example.com.   CAA           0      issue   "amazon.com"

(Result: CAA passed)

In this scenario ACM can issue certificates for www.example.com. Note that CAA record checking doesn't climb up to the parent of a CNAME record, and the CAA record of example.net isn't checked. For more information, see APPENDIX A in Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.

The "issue" tag can be used for both non-wildcard domain and wildcard domain, while "issuewild" tag only affects the wildcard domain

The "issue" tag allows CA to issue certificates for both non-wildcard domains (www.example.com) and wildcard domains (*.example.com). You can use the "issuewild" tag to indicate how CA handles wildcard domains. The following examples show which CAA record takes effect when you request a certificate for *.example.com:

(Example 9 / *.example.com)
Domain   Record type  Flags  Tag      Value   
example.com.   CAA           0      issue   "amazon.com"

(Result: CAA passed)

The CAA record allows ACM to issue both a non-wildcard domain and wildcard domain certificate, and ACM can issue the certificate.

(Example 10 / *.example.com)
Domain   Record type  Flags  Tag      Value   
example.com.   CAA           0      issue   "amazon.com"
example.com.   CAA           0      issuewild   ";"

(Result: CAA failed)

The tag field "issuewild" overrides "issue" for a wildcard domain request, and ACM can't issue the certificate.

Note: You must set up a CAA record for example.com to allow CA to issue certificates for *.example.com.

(Example 11 / *.example.com)
Domain   Record type  Flags  Tag      Value   
*.example.com.   CAA           0      issuewild   "amazon.com"
example.com.   CAA           0      issuewild   ";"

(Result: CAA failed)

The first CAA record is ignored and the second CAA record prevents CA to issue certificates for *.example.com.

The following example shows which CAA record takes effect when you request a certificate for *.test.example.com:

(Example 12 / *.test.example.com)
Domain   Record type  Flags  Tag      Value   
test.example.com.   CAA           0      issue   "amazon.com"
example.com.   CAA           0      issuewild   ";"

(Result: CAA passed)

The CAA check finds the first record, terminates the climbing, and allows ACM to issue the certificate.

The "issuewild" tag is ignored when you request a non-wildcard domain. This example shows which CAA record takes effect when you request a certificate for www.example.com:

(Example 13 / www.example.com)
Domain   Record type  Flags  Tag      Value   
www.example.com.   CAA           0      issuewild   "amazon.com"
example.com.   CAA           0      issue   ";"

(Result: CAA failed)

This is a non-wildcard domain request, so the first CAA record is ignored. The second CAA record takes effect, and CA are not allowed to issue the certificate.

For more information about creating a CAA record, see (Optional) Configure a CAA Record.


Did this article help you?

Anything we could improve?


Need more help?