A CAA (Certificate Authority Authorization) DNS record tells Certificate Authorities (CAs) whether they are allowed to issue SSL certificates for your domain.
If a domain has a restrictive CAA record and it does not allow Let’s Encrypt, Plesk may fail to issue or renew a certificate with an error like “CAA record prevents issuance”.
When you need to check CAA
- Let’s Encrypt issuance/renewal fails in Plesk.
- You recently added CAA records for security and certificates stopped renewing.
- You moved DNS to another provider and copied old DNS records.
Where to add CAA records
- If your DNS is managed in Plesk (domain uses GARMTECH nameservers), add the record in Plesk → DNS Settings.
- If your domain uses external DNS (for example, Cloudflare), add the record there.
CAA values for Let’s Encrypt
Let’s Encrypt uses the CA domain letsencrypt.org.
- To allow standard certificates:
CAA 0 issue "letsencrypt.org"
- To allow wildcard certificates (optional):
CAA 0 issuewild "letsencrypt.org"
If you also use a paid SSL provider, you can add additional CAA “issue” entries for their CA domain as well.
Add a CAA record in Plesk
- Log in to Plesk.
- Go to Websites & Domains → DNS Settings.
- Click Add Record and select CAA.
- Fill in the values (for example, tag: issue, CA domain: letsencrypt.org).
- Click OK, then click Update to apply changes.
After updating CAA
- Wait for DNS propagation (often quick, sometimes up to 24 hours).
- Retry issuing/renewing the certificate in Plesk (SSL/TLS Certificates or Let’s Encrypt extension).
