[SSL] Expand DCV troubleshooting with all CA error messages#30877
Open
ngayerie wants to merge 1 commit into
Open
[SSL] Expand DCV troubleshooting with all CA error messages#30877ngayerie wants to merge 1 commit into
ngayerie wants to merge 1 commit into
Conversation
Documents all DCV error messages returned by certificate authorities: - Rate limiting errors with expiration time - CAA records block issuance - Multiple perspective validation errors (MPIC) - DNS lookup errors (SERVFAIL, NXDOMAIN, DNSSEC) - Rejected identifier errors - Internal CA errors Each error now includes a clear Resolution section with actionable steps. Addresses SPM-3368
| For example, for a [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) certificate encountering this issue, you can check for: `<hostname>:CAA:8.8.8.8`. | ||
| ### CAA records block issuance | ||
|
|
||
| Read more from Certificate Authorities specific documentation: [SSL.com](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services](https://pki.goog/faq/#faq-mpic). |
| ### CAA records block issuance | ||
|
|
||
| Read more from Certificate Authorities specific documentation: [SSL.com](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services](https://pki.goog/faq/#faq-mpic). | ||
| The error `CAA records block issuance. Please remove all CAA records or add records for this authority` indicates that your domain's [CAA records](/ssl/edge-certificates/caa-records/) do not allow the selected certificate authority to issue certificates. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Expands the DCV troubleshooting documentation to include all error messages returned by certificate authorities, with clear resolution steps for each.
Problem
Customers encountering DCV errors often do not know what action to take. The existing documentation only covered a few error types and lacked clear call-to-action guidance.
Solution
Updated
/ssl/edge-certificates/changing-dcv-method/troubleshooting/to document all DCV error messages from the COMS certificate validation system:The authority has rate limited these domains...CAA records block issuance...Certificate authority encountered a multiple perspective CAA check error...MPIC failure...the Certificate Authority had trouble performing a DNS lookup...The certificate authority will not issue for this domain...Internal error with Certificate Authority...Each error now includes:
Ticket