Cloudflare DevelopersCD
Cloudflare Developers5mo ago
SamGroot

[SOLVED] Worker Custom Domain's Certificate not renewing/creating - CAA records block issuance

A few days ago, we started receiving email that our certificate for a specific subdomains was expiring in a few days (August 25th), and we needed to add some TXT records.
We did that, and tried revalidating using the link provided in the email but were hit by an error message. It didn't work (error message below).
We removed the domain from the edge certificates and from the worker's custom domains, and re-added the custom domain on the worker. It didn't work.
We removed everything (edge certificate, worker), and redeployed the worker with custom domain using the wrangler CLI - as we did initially, and as we do with other workers/subdomains.
It also didn't work, we're still hitting the following error messages:

In the dashboard page for Edge Certificates, we see that the certificate for that specific subdomain was marked as Pending Validation (Error) with a tooltip CAA records block issuance. Please remove all CAA records or add records for this authority (pki.goog).

When doing a dig to check CAA records for my domain, I get the following:
$ dig mydomain.com caa +short

0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issue "ssl.com"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
0 issuewild "ssl.com"


CAAs seem to be set, and it's also not an issue for other subdomains (created as custom domains for workers).
On the DNS Record page, there were no CAA records, those are the default Cloudflare ones.

What could explain that this worker/subdomain in particular doesn't renew/initialize, when others are fine?
Was this page helpful?