Certificate Renewal Failing with 403 Error on Liferay PaaS
knowledge-article-header-disclaimer-how-to
knowledge-article-header-disclaimer
legacy-article
learn-legacy-article-disclaimer-text
Issue
- When attempting to renew the SSL certificate generated by Let’s Encrypt, the process fails with multiple
403 (Forbidden) errors.
- The error messages suggest a security restriction that is preventing the certificate from being recreated:
Reason: Error accepting authorization: acme: authorization error for [domain]: 403 urn:ietf:params:acme:error:caa: CAA record for [parent domain] prevents issuance
Resolution
- This issue is often caused by restrictions in the CAA (Certification Authority Authorization) records. These records define the Certificate Authorities (CAs) authorized to issue certificates for a domain. If Let’s Encrypt is not included, the renewal process will fail.
- To fix this, update the CAA records for the parent domain to authorize Let’s Encrypt by adding the following entry through your DNS provider:
0 issue "letsencrypt.org"
did-this-article-resolve-your-issue
