CAA record gets removed when renewing Letsencrypt cert

Hi all!

First some info: I did reproduce this, so I have actually verified this happens (to me at least).

Lets go. Here is my CAA info, which I have with every domain I host:

@ IN CAA 0 issue ""
@ IN CAA 0 issue ""
@ IN CAA 0 issuewild ";"
@ IN CAA 0 iodef ""

Most of my domains use Letsencrypt, but some use Sectigo certs, hence both there so I can change certs if needed without editing dns records.

Now, when I renew manually or cert gets renewed automatically (Letsencrypt), the corresponding CAA record, in this case "@ IN CAA 0 issue """ gets removed from the records for some reason!? This obviously prevents next renewal after two months or so, and I get e-mails saying renewal failed because CAA prevents it.

I don't know why cert renewal even messes with dns records, but this is what happens.

Hope the issue is clear enough, thanks!

  • Yorkki
Fixed (pending)
Virtualmin version: 
Webmin version: 


Ilia's picture
Submitted by Ilia on Wed, 01/13/2021 - 11:09

Assigned: Unassigned ยป


Thanks for contacting us.

I assume it's happening because we add those CAA records automatically upon DNS validation with certbot for Let's Encrypt and then remove them.

Jamie, I think the improvement would be is to test if the records on the zone file existed in the first place and if they did, leave them as they were? Perhaps, there is no reason to remove those CAA records at all and just leave them be?

Note: The problem with removing the CAA record is, that when you have subdomain, for example outside your Virtualmin installation renewing cert, outside of your actual Bind installation, the sub-server is not able to touch or change/add/remove any dns records -> hence unable to renew cert if the CAA record is not in place.

Sorry about this, we didn't consider this kind of setup with the CAA records. The next Virtualmin release won't cause this kind of breakage.

Thanks guys, appreciate it, keep up the good work!

  • Yorkki