Certificate Renewal Failures for Replicated Custom Domains

Background

When you configure a custom domain for your Replicated application (for example, to use downloads.yourcompany.com instead of a replicated.app subdomain), Replicated uses Cloudflare to automatically provision and renew SSL/TLS certificates. This process is fully managed and requires no manual intervention under normal circumstances.

However, if your domain has CAA (Certificate Authority Authorization) records configured, the certificate renewal process may fail silently. CAA records explicitly define which Certificate Authorities are permitted to issue certificates for your domain—any CA not listed will be blocked from issuing.

Symptoms

You may encounter this issue if:

• Your custom domain stops working with SSL/TLS errors after a period of successful operation
• Certificate renewal fails approximately 90 days after initial setup (the typical Let’s Encrypt certificate lifetime)
• Cloudflare reports certificate issuance failures for your domain
• Users see browser warnings about expired or invalid certificates when accessing your custom domain

Root Cause

Cloudflare’s certificate issuance pipeline uses multiple Certificate Authorities depending on availability and optimization. If your domain has CAA records that don’t include all CAs that Cloudflare may use, certificate renewal requests will be rejected by the CA.

You can check if your domain has CAA records configured:

dig CAA yourdomain.com +short

If this returns any results, you have CAA records in place and must ensure they include Cloudflare’s required CAs.

Solution

Add the following CAA records to your domain’s DNS configuration. These records authorize all Certificate Authorities that Cloudflare may use for certificate issuance:

@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
@ IN CAA 0 issue "ssl.com"
@ IN CAA 0 issue "amazon.com"
@ IN CAA 0 issue "cloudflare.com"
@ IN CAA 0 issue "google.com"

Optional: Certificate Issuance Notifications

To receive email notifications when certificate requests are made for your domain (useful for security monitoring), add an IODEF record:

@ IN CAA 0 iodef "mailto:your-security-team@example.com"

Applying the Changes

After adding the CAA records:

1. Verify propagation: DNS changes can take up to 48 hours to propagate, though most changes are visible within minutes. Verify with:

   dig CAA yourdomain.com +short
   

2. Wait for renewal: Cloudflare will automatically retry certificate issuance. If the certificate is already expired, you may need to contact Replicated support to trigger a manual renewal.

3. Confirm certificate validity: Once renewed, verify the certificate is valid:

   echo | openssl s_client -connect your-custom-domain.com:443 -servername your-custom-domain.com 2>/dev/null | openssl x509 -noout -dates
   

Additional Resources

• Let’s Encrypt CAA Documentation
• Cloudflare CAA FAQ
• RFC 8659 - DNS Certification Authority Authorization

Getting Additional Help

If you’ve added the required CAA records and certificates still fail to renew, contact Replicated support with:

• Your custom domain name
• Output of dig CAA yourdomain.com +short
• The approximate date when certificate errors began