Symptoms
When running AutoSSL, you may receive the following error:
CA forbidden: "exampledomain.tld"
Description
This occurs when a domain (exampledomain.tld) uses a CAA record to specify which certificate authorities are allowed to issue SSL certificates for a domain.
For example, if the below CAA record exists in the DNS zone of exampledomain.tld and the AutoSSL provider is set to cPanel (Powered by Sectigo), AutoSSL will fail because the CAA record only allows SSL certificates to be issued by Let's Encrypt.
exampledomain.tld IN CAA 0 issue "letsencrypt.org"
Workaround
Option 1:
In "WHM / Manage AutoSSL / Providers," set the AutoSSL provider to the certificate authority that matches the CAA record ( Let's Encrypt or cPanel (Powered by Sectigo)).
Sectigo CAA record example:
exampledomain.tld. IN CAA 0 issue 'sectigo.com'
Let's Encrypt CAA record example:
exampledomain.tld. IN CAA 0 issue "letsencrypt.org
Option 2:
Remove the CAA record from the domains DNS zone or modify the CAA record to use the configured AutoSSL provider (letsencrypt.org or sectigo.com).