[SOLVED] Worker Custom Domain's Certificate not renewing/creating - CAA records block issuance
A few days ago, we started receiving email that our certificate for a specific subdomains was expiring in a few days (August 25th), and we needed to add some TXT records.
We did that, and tried revalidating using the link provided in the email but were hit by an error message. It didn't work (error message below).
We removed the domain from the edge certificates and from the worker's custom domains, and re-added the custom domain on the worker. It didn't work.
We removed everything (edge certificate, worker), and redeployed the worker with custom domain using the wrangler CLI - as we did initially, and as we do with other workers/subdomains.
It also didn't work, we're still hitting the following error messages:
In the dashboard page for Edge Certificates, we see that the certificate for that specific subdomain was marked as
Pending Validation (Error) with a tooltip CAA records block issuance. Please remove all CAA records or add records for this authority (pki.goog).
When doing a dig to check CAA records for my domain, I get the following:
CAAs seem to be set, and it's also not an issue for other subdomains (created as custom domains for workers).
On the DNS Record page, there were no CAA records, those are the default Cloudflare ones.
What could explain that this worker/subdomain in particular doesn't renew/initialize, when others are fine?5 Replies
Feedback
Feedback has been submitted! Thank you :)
Can you share the actual subdomain?
Certainly!
The subdomain in question is
realtime.staging.jupi.co
Another subdomain (for a similarly deployed Worker, including domain, deployed 10 minutes ago) is realtime-preview-pr-2159.jupi.co
CAA records are inherited from the next closest parent domain, which is the Vercel CNAME domain in your case.
That... makes a lot of sense, I was unaware of this behavior of DNS/CAA
This was very helpful and solves our issue
Thanks a lot for your answer and for your time!