Can't create CAA record for subdomain on AWS Route 53

5
votes

I have a public hosted zone at AWS Route 53. Just for the simplicity let's call the domain "foo.com". Which I bought a certificate for from Comodo.

I have a CNAME type record for the subdomain "bar.foo.com". In order to renew the Let’s Encrypt certificate for the "bar.foo.com subdomain I need to add a CAA record.

I'm getting the following error message if I try to add the CAA record for the subdomain.

Name: bar.foo.com | Type: CAA | Value: 0 issue "letsencrypt.org"

Error message:

RRSet of type CAA with DNS name bar.foo.com. is not permitted because a conflicting RRSet of type CNAME with the same DNS name already exists in zone foo.com.

Here a screenshot from the AWS console: enter image description here

1
amazon-web-servicesdnsamazon-route53lets-encrypt
The error means you already have a CNAME record on same label bar.foo.com and by definition if you have a CNAME record on some label you can not have any other record types for the same label. - Patrick Mevzek

1 Answers

4
votes

I got it working! I entered a second line in the CAA record of "foo.com" 

0 issue "letsencrypt.org"

I'm not sure if that is the right thing to do but it works.

enter image description here