The PRE-SIGN FAILED status generally means that there is a problem preventing your SSL certificate from being issued.
By far, the most common cause for PRE-SIGN FAILED has to do with a Certificate Authority Authorization (CAA) record that may be set up in your domain's DNS zone.
A CAA record restricts which Certificate Authorities may issue SSL certificates for your domain. If you have a CAA record for one Certificate Authority, then only that specific CA may issue SSL for your domain. You can create CAA records for multiple Certificate Authorities. If you have no CAA records at all, you can request SSL from any CA.
Please reach out to our support team to help complete certificate issuance if you have already resolved your CAA records and the certificate status is still PRE-SIGN FAILED.
Check Your CAA Records
To check if your domain has any CAA records that might prevent SSL issuance, you can use any online DNS lookup tool. You should also be able to find the records in your domain's DNS manager.
Using the What's My DNS lookup tool, input your domain name and search for CAA type records. The records may appear as follows.
Name | Type | Value |
yourdomain.com | CAA | 0 issue "digicert.com" |
yourdomain.com | CAA | 0 issue "sectigo.com" |
These records specifically allow the CAs DigiCert and Sectigo to issue SSL to yourdomain.com and would prevent any other CA from issuing SSL for this site. That being said, if you have a CAA for DigiCert and not for Sectigo, then Sectigo cannot issue SSL to your domain, and vice versa - if you have a CAA for Sectigo and not for DigiCert, then DigiCert cannot issue SSL to your domain.
Manage Your CAA Records
There are several ways to resolve the PRE-SIGN FAILED status caused by CAA records.
1. Add CAA Record for Sectigo
If you already have CAA records for other Certificate Authorities besides Sectigo, you should add a new record to allow SSL from Sectigo:
yourdomain.com. CAA 0 issue "sectigo.com"
A CAA record with the "issuewild" tag will restrict Certificate Authorities from issuing SSL with non-wildcard names. Most SSL certificates include non-wildcard names, even Wildcard SSL certificates. You should make sure that your CAA record instead uses the "issue" tag as written above to allow both wildcard and non-wildcard names on your SSL.
2. Delete Existing CAA Records
Having no CAA records set up on your domain will allow any Certificate Authority to issue SSL to your domain. If you do not need to restrict which CAs can issue SSL for your site, you may be able to delete all existing CAA records to allow issuance.
Hosting Managed CAA Records
If your hosting provider strictly controls your domain's CAA records, please reach out to your hosting provider for help making adjustments to your CAA records.
Some hosting providers and other platforms that integrate with your domain, such as Shopify, may not allow you to change your CAA records. In this case, you may not be able to request SSL certificates from any Certificate Authority not authorized by your host. Please contact your host to confirm and discuss what other options you have to request SSL certificates for your site.