Articles

How to Configure CAA Records

Creating a CAA record is not required.

If you are having problems obtaining an SSL certificate due to your domain having an incorrect CAA record, you should delete your domain's incorrect CAA record.

CAA records are a new type of DNS record that allows you to restrict which Certificate Authorities can issue SSL certificates for your domains.

As ServerPilot's AutoSSL feature issues certificates through the Let's Encrypt Certificate Authority, you can optionally choose to create an issue CAA record with authority granted to letsencrypt.org so that only Let's Encrypt will be able to issue SSL certificates for your domain.

If you create a CAA record and later forget you created it when trying to issue a certificate from a different Certificate Authority, you won't be able to issue your new SSL certificate. In general, you should only create a CAA record if you're experienced with DNS and understand how CAA records work.

Creating a CAA Record at DigitalOcean

If your domain's DNS is managed at DigitalOcean, you can create a CAA record for your domain through DigitalOcean's control panel.

To create a CAA record, log in to DigitalOcean's control panel, click on Networking, and then click on your domain name is the list to manage DNS for your domain.

Next, click on CAA and enter the following values

  • Hostname: @ (only an "at sign", nothing else)
  • Authority Granted For: letsencrypt.org
  • Tag: issue
  • Flags: 0
  • TTL (Seconds): 3600

This is what the form will look like before you click Create Record:

Finally, click Create Record to create your domain's CAA record.


Last updated: February 08, 2018