Last updated：2021-03-15 15:39:19
When a user was completing certificate request information after the certificate was purchased, the message indicating that domain CAA check failed was displayed.
A CAA record was set for the domain bound to the certificate and the certificate brand contained in the CAA record value is different from that of the purchased certificate. For example, your certificate will fail to be issued when you apply for a Sectigo certificate and the CAA record value is not sectigo.com.
Log in to a Linux server and enter the following command to query domain resolution.
dig Domain name caa
The following example shows the command and output:
[[email protected] ~]# dig sec.ksyun.com caa ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> sec.ksyun.com caa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7782 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 19 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sec.ksyun.com. IN CAA ;; ANSWER SECTION: sec.ksyun.com. 600 IN CAA 0 issue "letsencrypt.org" sec.ksyun.com. 600 IN CAA 0 issue "sectigo.com" ;; Query time: 27 msec ;; SERVER: 220.127.116.11#53(18.104.22.168) ;; WHEN: Tue Aug 18 17:16:42 CST 2020 ;; MSG SIZE rcvd: 469
Did you find the above information helpful?
Please give us your feedback.
Thank you for your feedback.