diff --git a/src/content/docs/build/domains/organization-custom-domain.mdx b/src/content/docs/build/domains/organization-custom-domain.mdx index 77d7528f6..0808cb1e6 100644 --- a/src/content/docs/build/domains/organization-custom-domain.mdx +++ b/src/content/docs/build/domains/organization-custom-domain.mdx @@ -58,6 +58,8 @@ Instructions will vary depending on your domain provider. Here’s the general p 2. Navigate to the page where you can add DNS records. 3. Use the details provided by Kinde to add CNAME DNS records. +If your domain has **CAA (Certificate Authority Authorization)** records, you must allow both **ZeroSSL** (`sectigo.com`) and **Let's Encrypt** (`letsencrypt.org`), which Kinde uses to provision and renew SSL certificates. See [CAA records (if you use them)](/build/domains/pointing-your-domain/#caa-records-if-you-use-them) in the main custom domain guide for details and sample records. + ## Step 3: Monitor for verification and SSL certificate provisioning 1. Open the individual organization record. diff --git a/src/content/docs/build/domains/pointing-your-domain.mdx b/src/content/docs/build/domains/pointing-your-domain.mdx index bec35c21c..74d9ba814 100644 --- a/src/content/docs/build/domains/pointing-your-domain.mdx +++ b/src/content/docs/build/domains/pointing-your-domain.mdx @@ -77,6 +77,22 @@ Apologies that we can’t offer instructions for all situations, as this will be +## CAA records (if you use them) + +If your domain has **CAA (Certificate Authority Authorization)** records, they restrict which certificate authorities can issue SSL certificates for your domain. Kinde provisions and renews certificates using **ZeroSSL** and **Let's Encrypt**, so you must allow both in your CAA records or certificate issuance will fail. + +Add CAA records that authorize both providers. For your custom domain (or the subdomain you use, e.g. `account`), add two CAA records like this: + +| Host | Record type | Value | +|------|-------------|--------| +| `account` (or your subdomain) | CAA | `0 issue "sectigo.com"` | +| `account` (or your subdomain) | CAA | `0 issue "letsencrypt.org"` | + +- **ZeroSSL** uses the CA domain **sectigo.com** +- **Let's Encrypt** uses the CA domain **letsencrypt.org** + +If you only list one CA in your CAA records, add the other. If you have no CAA records, you don't need to add any; certificate issuance will work as normal. + ## Check verification status in Kinde Once you have created the DNS entries, Kinde will start the verification process. This can take anywhere from a few minutes to a couple of hours. When it completes, the verification status will change to 'Provisioned' and an SSL certificate will be provisioned.