If you receive an error during certificate issuance that says one or more domain names have failed validation due to a Certification Authority Authentication (CAA) error, check your DNS settings. You can use CAA DNS records to specify that the Amazon certificate authority (CA) can issue ACM certificates for your domain or subdomain.
If you receive the error after your certificate request has been successfully validated, you must update your CAA records and request a certificate again. To do this, please follow the steps below:
The value field in at least one of your CAA records must contain one of the following domain names:
Wait for DNS propagation.
Remove the custom domain request and add it again. If the the request has been successfully validated, you should see the required CNAME records in the list.
If the request fails, please repeat steps 2 to 3.
If you continue to receive this failure message, please contact us at firstname.lastname@example.org.