Symptoms
When running AutoSSL, you may receive the following error:
CA forbidden: "exampledomain.tld"
Description
The error occurs when a domain (exampledomain.tld) uses a CAA record to specify which certificate authorities can issue SSL certificates for a domain.
For example, suppose the below CAA record exists in the DNS zone of exampledomain.tld, and the AutoSSL provider is cPanel (Powered by Sectigo). In that case, AutoSSL will fail because the CAA record only allows LetsEncrypt to issue SSL certificates for the domain.
exampledomain.tld IN CAA 0 issue "letsencrypt.org"
Subdomains inherit the CAA record of the primary domain by default.
Workaround
Option 1:
In "WHM / Manage AutoSSL / Providers," set the AutoSSL provider to the certificate authority that matches the CAA record ( Let's Encrypt or cPanel (Powered by Sectigo)).
CAA Record example for Sectigo:
exampledomain.tld. IN CAA 0 issue 'sectigo.com'
CAA Record example for Let's Encrypt:
exampledomain.tld. IN CAA 0 issue "letsencrypt.org
Option 2:
Remove the CAA record from the domain's DNS zone or modify the CAA record to use the configured AutoSSL provider (letsencrypt.org or sectigo.com).