How do I resolve CAA “Failed” error when an ACM certificate is issued or renewed?
I requested a new certificate or tried to renew a certificate with AWS Certificate Manager (ACM) but the domain name status is "Failed". The validation status is "Success", even though the certificate request failed.
Short description
A Certificate Authority Authorization (CAA) record is a DNS record. This record allows you to control the Certificate Authority (CA) that can issue certificates for your domain. ACM checks CAA records to verify that the domain owner allows ACM to issue an SSL certificate for the domain. The CAA checks the following conditions:
- CAA record checking moves up the DNS name tree.
- No CAA record means that any CA can issue certificates.
- CAA record checking follows the CNAME record.
- The "issue" tag can be used for both non-wildcard domains and wildcard domains, while "issuewild" tag affects only wildcard domains.
Resolution
CAA record checking moves up the DNS name tree
CAA record checking starts at the request domain, and then moves up in the DNS name tree. If you request a certificate for www.example.com, ACM first checks the CAA record for the third-level domain www.example.com. Then, ACM checks for the second-level domain name example.com.
After the CAA record is found, the CAA lookup stops and the record takes effect. The following examples show which CAA record takes effect when you request a certificate for www.example.com:
(Example 1 / www.example.com)Domain Record type Flags Tag Value www.example.com. CAA 0 issue "amazon.com" example.com. CAA 0 issue "SomeCA.com" (Result: CAA passed)
The record for the third-level domain name takes effect, which allows ACM to issue the certificate. The second-level domain name record isn't used.
(Example 2 / www.example.com)Domain Record type Flags Tag Value www.example.com. CAA 0 issue "SomeCA.com" example.com. CAA 0 issue "amazon.com" (Result: CAA failed)
The first record takes effect, which prevents ACM from issuing the certificate. The second record is ignored.
(Example 3 / www.example.com)Domain Record type Flags Tag Value test.example.com. CAA 0 issue "SomeCA.com" example.com. CAA 0 issue "amazon.com" (Result: CAA passed)
The first record doesn't affect the CAA record for www.example.com. The second record takes effect, which allows ACM to issue the certificate.
The following examples shows which CAA record takes effect when you request a certificate for example.com:
(Example 4 / example.com)Domain Record type Flags Tag Value www.example.com. CAA 0 issue "amazon.com" example.com. CAA 0 issue "SomeCA.com" (Result: CAA failed)
The first record doesn't take effect because www.example.com is a subdomain of the requested domain, and CAA record checking doesn't move down the DNS tree. The second record takes effect, which prevents ACM from issuing the certificate.
(Example 5 / example.com)Domain Record type Flags Tag Value www.example.com. CAA 0 issue "SomeCA.com" example.com. CAA 0 issue "amazon.com" (Result: CAA passed)
The first record is ignored because www.example.com is a subdomain of the requested domain, and CAA record checking doesn't move down the DNS name tree. The second record takes effect, which allows ACM to issue the certificate.
No CAA record means that any CA can issue certificates
If you don't configure a CAA record for the requested domain, then any CA including ACM can issue certificates for your domain. For example, ACM can issue certificates for example.com in the following example:
(Example 6 / example.com)Domain Record type Flags Tag Value www.example.com. CAA 0 issue ";" (Result: CAA passed)
Because CAA checking doesn't move down the DNS tree, the record is ignored.
CAA record checking follows the CNAME record
CAA record checking proceeds with the CNAME record that points to a different domain. In this example, www.example.com points to www.example.net, which has a CAA record:
(Example 7 / www.example.com)Domain Record type Flags Tag Value www.example.com. CNAME www.example.net www.example.net. CAA 0 issue ";" (Result: CAA failed)
The first record redirects CAA checking to www.example.net. This CAA record prevents any CA from issuing certificates, and ACM can't issue certificates for www.example.com.
If the pointed domain www.example.net doesn't have a CAA record, CAA record checking moves up to the base domain example.com.
(Example 8 / www.example.com)Domain Record type Flags Tag Value www.example.com. CNAME www.example.net example.com. CAA 0 issue "amazon.com" (Result: CAA passed)
In this scenario, ACM can issue certificates for www.example.com because www.example.net doesn't have any CAA record configured. Note that CAA record checking doesn't move up to the parent of a CNAME record, and the CAA record of example.net isn't checked. For more information, see APPENDIX A on the CA/Browser Forum website.
The "issue" tag can be used for both non-wildcard domain and wildcard domain, while "issuewild" tag only affects the wildcard domain
The "issue" tag allows CA to issue certificates for both non-wildcard domains www.example.com and wildcard domains *.example.com. You can use the "issuewild" tag to indicate how a CA handles wildcard domains. The following examples show which CAA record takes effect when you request a certificate for *.example.com:
(Example 9 / *.example.com)Domain Record type Flags Tag Value example.com. CAA 0 issue "amazon.com" (Result: CAA passed)
The CAA record allows ACM to issue both a non-wildcard domain and wildcard domain certificate, and ACM can issue the certificate.
(Example 10 / *.example.com)Domain Record type Flags Tag Value example.com. CAA 0 issue "amazon.com" example.com. CAA 0 issuewild ";" (Result: CAA failed)
The tag field "issuewild" overrides "issue" for a wildcard domain request, and ACM can't issue the certificate. Note: You must set up a CAA record for example.com to allow CA to issue certificates for *.example.com.
(Example 11 / *.example.com)Domain Record type Flags Tag Value *.example.com. CAA 0 issuewild "amazon.com" example.com. CAA 0 issuewild ";" (Result: CAA failed)
The first CAA record is ignored and the second CAA record prevents CA to issue certificates for *.example.com.
The following example shows which CAA record takes effect when you request a certificate for *.test.example.com:
(Example 12 / *.test.example.com)Domain Record type Flags Tag Value test.example.com. CAA 0 issue "amazon.com" example.com. CAA 0 issuewild ";" (Result: CAA passed)
The CAA check finds the first record, terminates moving up the DNS name tree, and allows ACM to issue the certificate.
The "issuewild" tag is ignored when you request a non-wildcard domain. This example shows which CAA record takes effect when you request a certificate for www.example.com:
(Example 13 / www.example.com)Domain Record type Flags Tag Value www.example.com. CAA 0 issuewild "amazon.com" example.com. CAA 0 issue ";" (Result: CAA failed)
This is a non-wildcard domain request, so the first CAA record is ignored. The second CAA record takes effect, and CA is not allowed to issue the certificate.
For more information about configuring a CAA record, see (Optional) configure a CAA record.
Related information
DNS Certification Authority Authorization (CAA) resource record on the Datatracker website
Relevant content
- asked 2 years agolg...
- asked 10 months agolg...
- asked 5 years agolg...
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago