CAA Records and Certificate Renewal
What Are CAA Records?
CAA (Certificate Authority Authorization) records are DNS records that specify which certificate authorities (CAs) are allowed to issue SSL certificates for your domain. If a CAA record is present and does not include the CA that the WAF uses, certificate issuance and renewal will fail.
How CAA Records Affect the WAF
The WAF uses GoDaddy/Starfield as the certificate authority for SSL certificates. When your domain has CAA records that restrict certificate issuance to other CAs (such as Let’s Encrypt or DigiCert only), the WAF cannot issue or renew your certificate.
This commonly results in:
- Certificate renewal failures with a “Renewal not allowed” error
- Emails from Sucuri/GoDaddy about failed certificate requests
- Your site showing an expired or invalid certificate
How to Fix It
Add the following CAA record to your domain’s DNS configuration to allow GoDaddy/Starfield to issue certificates:
CAA Record to Add:
- Type: CAA
- Name:
@(or your domain name) - Flag: 0
- Tag: issue
- Value:
godaddy.com
If you also use wildcard certificates, add a second CAA record:
- Type: CAA
- Name:
@ - Flag: 0
- Tag: issuewild
- Value:
godaddy.com
You do not need to remove your existing CAA records for other CAs. Multiple CAA records can coexist - simply add the GoDaddy entry alongside your existing ones.
Verifying Your CAA Records
You can check your current CAA records using a DNS lookup tool or the command line:
dig CAA yourdomain.com
You should see godaddy.com listed among the results.
After Updating CAA Records
Once you have added the CAA record, please contact us at support@expeditedsecurity.com and we will re-trigger the certificate renewal process. Changes to DNS records can take up to 24 hours to propagate.
API Help
We’re happy to help you with certificate renewal issues. Please don’t hesitate to:
- Contact us at support@expeditedsecurity.com
- Book a Call at https://app.harmonizely.com/expedited/30-min