AutoSSL and CAA Records

I recently had a similar issue. I discovered that I had a general CAA record that only covered Let's Encrypt, and the service cert auto-renewal was silently failing because there was no more-specific CAA record for the service hostname that allowed Comodo/Sectigo to issue the requisite cert. I think it would be good for the cPanel service-certificate area to check for insufficient CAA coverage and report it in the UI as an error condition.