Symptoms
AutoSSL checks are being sent to Sectigo for validation, however, the certificates are not being issued and are stuck in the AutoSSL queue.
Description
This issue involves CAA which is a standard that lets you control which certificate authorities (CAs) are allowed to issue certificates for your domain.
When using Shopify the "www" record will be configured to be redirected to Shopify via a CNAME record:
# dig @8.8.8.8 cname www.example.com +short
shops.myshopify.com.
This uses its own CAA record which does not include Sectigo, preventing the certificate from being issued:
# dig @8.8.8.8 caa shops.myshopify.com. +short
0 issue "digicert.com"
0 issue "globalsign.com"
0 issue "letsencrypt.org"
Workaround
You would need to either adjust the CNAME record or exclude the "www" subdomain in cPanel's "SSL/TLS Status" module so that the certificate can be issued. Alternatively, you may try the Let's Encrypt provider to see if this allows for your certificate to be successfully issued.
There was a noted change in this behavior whic was addressed as CPANEL-26814 in cPanel & WHM version 84. You can view the Change Log below:
- Fixed case CPANEL-26814: Make AutoSSL run a CAA record check prior to doing DCV.
Source: cPanel & WHM - 84 Change Log
This resulted in a check for conflicting CAA being performed prior to the certificate being sent to Sectigo. The above workarounds would still apply.