Home About Blog

Let's Encrypt certificate not provisioning due to DNS record issues

Recently we had a number of users who had issues either provisioning or renewing their free SSL certificate through our portal.

We use Let’s Encrypt for SSL, some DNS providers have not setup CAA records correctly.
A CAA record check is now mandatory for most major certificate authorities as voted on by CAB earlier this year.


This means that going forward, this DNS provider will fail CAA checks from all SSL certificate issuers.

There are a number of options here:

  1. Opening a support ticket with your DNS provider and ask that they fix the issue. section.io can provide technical details to relay to your DNS provider if needed.

  2. Change to a DNS provider that supports querying CAA records correctly. section.io also offers free DNS hosting.

  3. Obtain a custom certificate through a Certificate Authority which has not implemented CAA checks yet and upload it through the section.io portal.

There is also another scenario where a CAA record is present but Let’s Encrypt isn’t listed as an authorized provider for certificates.

In that case, you can fix this issue by adding letsencrypt.org to you existing CAA record.