Why does a certificate fail to be issued?

Problem description

When a user was completing certificate request information after the certificate was purchased, the message indicating that domain CAA check failed was displayed.

Reason

A CAA record was set for the domain bound to the certificate and the certificate brand contained in the CAA record value is different from that of the purchased certificate. For example, your certificate will fail to be issued when you apply for a Sectigo certificate and the CAA record value is not sectigo.com.

Test the CAA record

Log in to a Linux server and enter the following command to query domain resolution.

dig Domain name caa

The following example shows the command and output:

[[email protected] ~]# dig sec.ksyun.com caa

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> sec.ksyun.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7782
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 19

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sec.ksyun.com.                 IN      CAA

;; ANSWER SECTION:
sec.ksyun.com.          600     IN      CAA     0 issue "letsencrypt.org"
sec.ksyun.com.          600     IN      CAA     0 issue "sectigo.com"

;; Query time: 27 msec
;; SERVER: 198.13.188.98#53(198.13.188.98)
;; WHEN: Tue Aug 18 17:16:42 CST 2020
;; MSG SIZE  rcvd: 469