I’m trying to connect a custom domain to my project and getting an error “Domain failed validation due to a Certificate Authority Authentication (CAA) error”. How can I fix this?
4 Likes
Hello!
The error is related to the CAA record settings on your DNS server.
To fix, update DNS and add a CAA record for “amazon.com”, allowing AWS to create an SSL cert on your behalf.
After that is done, delete the connected domain setup on your 8th Wall project and please try again.
Reference: Resolve CAA errors for issuing or renewing an ACM certificate | AWS re:Post
For example, the following DNS config only allows SSL certificates to be issued by DigiCert. All other requests will be denied.
$ dig CAA mydomain.com
...
...
;; ANSWER SECTION:
mydomain.com. 56 IN CAA 0 issue "digicert.com"
The above means that the current DNS config will ONLY allow SSL certificate requests from “digicert.com” and nobody else. Simply add another CAA record for “amazon.com” and you should be able to proceed. Note, per the AWS documentation link above, if there were no CAA records at all, that means that any Certificate Authority (CA) can issue certificates - but since ONE or more records exist, that means ONLY those services can issue certificates and everything else will be rejected.
The following example should work:
$ dig CAA mydomain.com
...
...
;; ANSWER SECTION:
mydomain.com. 56 IN CAA 0 issue "digicert.com"
mydomain.com. 56 IN CAA 0 issue "amazon.com"
2 Likes