A “PRE-SIGN FAILED” error usually means something is blocking your SSL certificate from being issued — often due to a problem with your domain’s CAA records.
What Is a CAA Record?
CAA stands for Certification Authority Authorization. A CAA record is a DNS record that lets you control which Certificate Authorities (CAs) can issue SSL/TLS certificates for your domain.
If you don’t set a CAA record, any CA can issue a certificate for your domain. But if you do, only the listed CAs are allowed.
Since September 8, 2017, all CAs must check CAA records before issuing certificates. As of September 15, 2024, Sectigo also apply these checks to S/MIME certificates.
To allow these CAs to issue SSL certificates, you need to add them to your domain’s CAA records.
Steps to Update Your CAA Record for Sectigo:
- Open your domain’s DNS environment.
- Under Domain name, add the following CAA record(s):
For SSL Certificates:
CAA 0 issue “sectigo.com”
If you’re wanting to grant Sectigo permission to issue a wildcard certificate only, please use the following:
CAA 0 issuewild “sectigo.com”
Note: the "issuewild" value restricts the CA to only issue certificates to a wildcard domain name such as *.yourdomain.com. If your certificate also includes a standard domain name like yourdomain.com, you must also have a CAA record with the "issue" value.
For S/MIME Email Certificates
If you’re wanting to grant Sectigo permission to issue a S/MIME certificate only, please use the following:
CAA 0 issuemail “sectigo.com”
Check Your CAA Records
To check if your domain has any CAA records that might prevent SSL issuance, you can use any online DNS lookup tool. You should also be able to find the records in your domain's DNS manager.
Using the DNS Propagation Checker - Global DNS Testing Tool, input your domain name and search for CAA type records. The records may appear as follows.
These records explicitly authorize Sectigo to issue SSL certificates for yourdomain.com, preventing any other Certificate Authority from doing so.
If a CAA record is present for another CA but not for Sectigo, Sectigo will not be able to issue an SSL certificate for your domain. Likewise, if a CAA record exists for Sectigo but not for any other CA, no other CA is authorized to issue a certificate for your domain.
It's also okay if you have CAA records for many different CAs. That just means you are allowing specific CAs, but not all, to issue certificates for your domain.
Remove Existing CAA Records
If no CAA records are configured for your domain, any Certificate Authority (CA) can issue an SSL certificate. If you do not wish to restrict SSL issuance to specific CAs, you may choose to delete all existing CAA records to allow any CA to issue certificates for your domain.
Hosting-Managed CAA Records
If your hosting provider manages your domain’s CAA records, you’ll need to contact them for assistance in making any changes.
Some hosting providers and platforms, like Shopify, may restrict modifications to CAA records. In such cases, you may be unable to obtain SSL certificates from Certificate Authorities not authorized by your host. To explore your options, reach out to your hosting provider for confirmation and guidance on requesting SSL certificates for your site.