Why does a certificate fail to be issued?

Last updated:2021-03-15 15:39:19

Problem description

When a user was completing certificate request information after the certificate was purchased, the message indicating that domain CAA check failed was displayed.

Reason

A CAA record was set for the domain bound to the certificate and the certificate brand contained in the CAA record value is different from that of the purchased certificate. For example, your certificate will fail to be issued when you apply for a Sectigo certificate and the CAA record value is not sectigo.com.

Test the CAA record

Log in to a Linux server and enter the following command to query domain resolution.

dig Domain name caa

The following example shows the command and output:

[root@vm11 ~]# dig sec.ksyun.com caa

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> sec.ksyun.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7782
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 19

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sec.ksyun.com.                 IN      CAA

;; ANSWER SECTION:
sec.ksyun.com.          600     IN      CAA     0 issue "letsencrypt.org"
sec.ksyun.com.          600     IN      CAA     0 issue "sectigo.com"

;; Query time: 27 msec
;; SERVER: 198.13.188.98#53(198.13.188.98)
;; WHEN: Tue Aug 18 17:16:42 CST 2020
;; MSG SIZE  rcvd: 469

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈