Aws acm - One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error

Question

I am using Window Server 2019 for DNS management.

I have created a public SSL certificate for domain *.example.mydomain.hk in Aws Certificate Manager(ACM)

After that, I add The DNS configuration for the SSL cert.

Below image is get from online. My setting:

Alias name: _66fxxxxxxxxx(auto generated after entering Full qualified domain name)
Full qualified domain name: _66fxxxxxxxxx.example.mydomain.hk
Fully qualified domain name for target host: _3ddxxxxxxxx.abcde.acm-validations.aws.

But error occur in ACM and the status become failed

The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error.

When I dig _66fxxxxxxxxx.example.mydomain.hk, it shows:

; <<>> DiG 9.10.6 <<>> _66fxxxxxxxxx.example.mydomain.hk.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_66fxxxxxxxxx.example.mydomain.hk. IN  A

;; ANSWER SECTION:
_66fxxxxxxxxx.example.mydomain.hk. 3599 IN CNAME _3ddxxxxxxxx.abcde.acm-validations.aws.

;; AUTHORITY SECTION:
abcde.acm-validations.aws.  899 IN  SOA ns-75.awsdns-09.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

...

How should I solve this issue?

Answer 1

Finally added a CAA Record for *.example.mydomain.hk and works now.

*.example.mydomain.hk  IN  CAA 0 issue "amazon.com"

Answer 2

For me, I was running into the same issue for one of my domains when I would attempt to create ACM cert and validate through DNS.

I needed to add a CAA record in route53 and set the value to 0 issue "amazon.com" and this allowed DNS validation for the ACM cert to pass for my record in R53