FIX: A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate

Disclaimer

This is an error message that my colleague Remco Bruijstens got while trying to re-new a certificate in an Azure WebApp. He resolved the issue by himself. I simulated the error and created a blog post in consultation with Remco.

The error message:

A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate’.

You do not necessarily have to receive this error within Azure. The solution also works when only applying for a certificate.


What does the error message mean?

The error message actually speaks for itself. A CAA record is active on the bwb.cloud domain. I had never heard of a CAA record before, so that was a great learning opportunity. In the CAA record you indicate who your Certification Authority Authorizer is.

A CAA record apparently is something new since 2013, but is required to check by Certificates authorities before they process a new certificate since 2017. It’s not required to have a CAA record though.

In chapter What is a CAA record I share the explanation from dnsimple.com. At the bottom of the chapter is a link to the full explanation.


Let’s fix ‘A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate’.

But how do we solve this?

If it is intended that your certificates are bought from that Certification Authority Authorizator, then you will have to go to the CAA in your CAA record.


Should a CAA record not exist on your domain?

We can then start removing your CAA record.

To delete the record, we must first log on at your domain registrar. Don’t you know who your domain registrar is? Please see http://whois.domaintools.com and type in your domain to see your registrar.

For bwb.cloud it’s Godaddy.com, Inc.

FIX: A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate.
FIX: A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate.

Logon to your Domain registrar and go to your DNS records. Here you’ll see a CAA record as in the image below.

FIX: A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate.
FIX: A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate.

After you remove the record you will be able to re-new your certificate at a different Certification Authority Authorizator.


What is a ‘CAA Record’?

Certification Authority Authorization (CAA) record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain.

The purpose of the CAA record is to allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.

CAA records can set policy for the entire domain, or for specific hostnames. CAA records are also inherited by subdomains. Therefore, a CAA record set on example.com also applies to any subdomain, such as subdomain.example.com (unless overridden). CAA records can control the issuance single-name certificates, wildcard certificates, or both.

From: https://support.dnsimple.com/articles/caa-record/


Azure WebApp Deployment name: Microsoft.SSL error message

First error message that was shown in https://portal.azure.com:

Azure WebApp Certificate – Deployment Failed
Additional details from the underlying API that might be helpful: At least one resource deployment operation failed. Please list deployment operations for details.

Oké, well that isn’t much to troubleshoot.
If you click on Deployment failed you can read the JSON file.

The final error message below triggered my colleague to look up the DNS records for the domain.

 {
    "Code": "CertificateResellerWebService_CertificateCreationError",
    "Message": "Failed to create certificate order",
    "Target": null,
    "Details": [
        {
            "Message": "Failed to create certificate order"
        },
        {
            "Code": "CertificateResellerWebService_CertificateCreationError"
        },
        {
            "ErrorEntity": [
                {
                    "code": "439",
                    "message": "A DNS CAA record exists for domain(s) bwb.cloud which forbids the issuance of this certificate",
                    "path": null
                }
            ]
        }
    ],
    "Innererror": null
} 

For me this then would be bwb.cloud with a CAA record to Comodo.com.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

Leave a Reply

Your email address will not be published. Required fields are marked *