From c39c9227cb0235a40bbe900096819a14c6eda6d4 Mon Sep 17 00:00:00 2001 From: Leo Chen Date: Wed, 11 Feb 2026 15:46:22 +1100 Subject: [PATCH] Add notes about CAA records to custom domains --- .../build/domains/organization-custom-domain.mdx | 2 ++ .../docs/build/domains/pointing-your-domain.mdx | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/src/content/docs/build/domains/organization-custom-domain.mdx b/src/content/docs/build/domains/organization-custom-domain.mdx index 2faf7275b..dc98183e9 100644 --- a/src/content/docs/build/domains/organization-custom-domain.mdx +++ b/src/content/docs/build/domains/organization-custom-domain.mdx @@ -37,6 +37,8 @@ Instructions will vary depending on your domain provider. Here’s the general p 2. Navigate to the page where you can add DNS records. 3. Use the details provided by Kinde to add CNAME DNS records. +If your domain has **CAA (Certificate Authority Authorization)** records, you must allow both **ZeroSSL** (`sectigo.com`) and **Let's Encrypt** (`letsencrypt.org`), which Kinde uses to provision and renew SSL certificates. See [CAA records (if you use them)](/build/domains/pointing-your-domain/#caa-records-if-you-use-them) in the main custom domain guide for details and sample records. + ## Step 3: Monitor for verification and SSL certificate provisioning 1. Open the individual organization record. diff --git a/src/content/docs/build/domains/pointing-your-domain.mdx b/src/content/docs/build/domains/pointing-your-domain.mdx index d9b5cd201..b0385ad7e 100644 --- a/src/content/docs/build/domains/pointing-your-domain.mdx +++ b/src/content/docs/build/domains/pointing-your-domain.mdx @@ -55,6 +55,22 @@ Apologies that we can’t offer instructions for all situations, as this will be +## CAA records (if you use them) + +If your domain has **CAA (Certificate Authority Authorization)** records, they restrict which certificate authorities can issue SSL certificates for your domain. Kinde provisions and renews certificates using **ZeroSSL** and **Let's Encrypt**, so you must allow both in your CAA records or certificate issuance will fail. + +Add CAA records that authorize both providers. For your custom domain (or the subdomain you use, e.g. `account`), add two CAA records like this: + +| Host | Record type | Value | +|------|-------------|--------| +| `account` (or your subdomain) | CAA | `0 issue "sectigo.com"` | +| `account` (or your subdomain) | CAA | `0 issue "letsencrypt.org"` | + +- **ZeroSSL** uses the CA domain **sectigo.com** +- **Let's Encrypt** uses the CA domain **letsencrypt.org** + +If you only list one CA in your CAA records, add the other. If you have no CAA records, you don't need to add any; certificate issuance will work as normal. + ## Check verification status in Kinde Once you have created the DNS entries, Kinde will start the verification process. This can take anywhere from a few minutes to a couple of hours. When it completes, the verification status will change to 'Provisioned' and an SSL certificate will be provisioned.