As a security measure, the ability to issue SSL certificates can be restricted to specific Certificate Authorities by using CAA records. By setting up the appropriate CAA records for your domain, you’re ensuring that Let’s Encrypt can issue certificates for your domain, while also preventing other certificate authorities from doing so without your authorization. For more info on CAA records read this arcticle
When Really Simple SSL detects a CAA record that will prevent let Let’s Encrypt from issuing a certificate we will notify you so you can add the appropriate CAA record in DNS. To add a CAA record for Let’s Encrypt follow the instructions below:
- Log in to your DNS provider account: You’ll need access to the domain name system (DNS) records for your domain, so log in to your DNS provider’s account.
- Add the CAA record to your DNS provider’s records for your domain. Depending on your DNS provider, the interface for creating records may vary.
The record should look like this: 0 issue “letsencrypt.org”
- Optional: For added security, remove other CAA records present to prevent other CA’s from issuing certificates for your domain.
Make sure you are not using other certificate authorities on subdomains or for other purposes such as email or software signing before removing the other CAA records!
- Verify the CAA record
Once you’ve created the CAA records, verify that they’re set up correctly by using a tool such as https://www.nslookup.io/caa-lookup/ to check your domain’s CAA records. The tool should show the CAA record you just created. If you don’t see the record, double-check that you created the record correctly and that your DNS provider has updated its servers.
With the CAA record set up, you can now let Really Simple SSL obtain a Let’s Encrypt certificate for your domain.