The most common cause of failed issuance (or renewal) is due to invalid or
missing DNS records, which prevent Certificate Manager from
validating domain ownership.
Check that the DNS record can be reached via public DNS. The value of
the _acme-challenge CNAME record (the underscore is required) for your
domain should return the value provided in the dnsResourceRecord.data
from when you created the authorization. You can use Google Public
DNS to quickly check that the record is
resolvable and valid.
Ensure that the domains you are requesting certificates for either
match, or are subdomains of, the authorizations you are associating with
the certificate request. For example, an authorization for
media.example.com allows you to issue certificates for
media.example.com, uk.media.example.com and
staging.media.example.com, but notwww.example.com.
Existing CAA records on your
domain might prevent Certificate Manager from issuing certificates for
your domain. You should ensure that there is a CAA record for
pki.goog to allow Google to issue certificates for your authorized domains.
If the issue is due to a CAA record restriction, the failure_reason field
in the API response contains a value of CAA.
You can only attach certificates with scope EDGE_CACHE to an Edge
Cache Service. If you did not explicitly specify a scope of EDGE_CACHE
when creating the certificate, you must re-issue the certificate
using an existing DNS authorization.
When creating a certificate with multiple domain names, any invalid domain
authorization prevents the certificate from being issued or renewed. This ensures
that all of your requested domains are included in the issued certificate.
Make sure that the DNS record, domain name, and CAA record configuration are
valid for each of the domains associated with a certificate.
Failure reasons
The following table describes the failure reasons that might be returned when
attempting to issue a certificate, their causes, and suggested fixes:
Type
Error
Troubleshooting Steps
DNS Authorization
CONFIG
We were unable to validate the certificate via DNS. In most cases, this
means the DNS record is missing, invalid (incorrectly copied), or
you are trying to issue a certificate for a subdomain that is not a
child of the authorized domain.
DNS Authorization
CAA
Certificate issuance is prohibited by the current set of
[CAA records](/media-cdn/docs/ssl-cerificates#caa-records-roots)
associated with the domain or the CAA record might have only just been
updated.
DNS Authorization
RATE_LIMITED
(Uncommon) You might be issuing certificates at a rate faster than accepted
by the CA or domain (for example, tens per minute or more).
Certificate
AUTHORIZATION_ISSUE
The individual domain failed authorization. Check the value of
managed.authorizationAttemptInfo.failureReason for the
domain to understand why authorization might have failed.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Troubleshoot certificate issuance\n\nThis page shows you how to resolve certificate issuance issues that might occur\nwhen you\n[issue and attach SSL (TLS) certificates](/media-cdn/docs/configure-ssl-certificates#issue-cert),\nor provision certificates with [DNS authorizations](/media-cdn/docs/ssl-certificates#dns-auth).\n\nTroubleshoot certificate issuance\n---------------------------------\n\nThe most common cause of failed issuance (or renewal) is due to invalid or\nmissing DNS records, which prevent Certificate Manager from\nvalidating domain ownership.\n\n- Check that the DNS record can be reached via public DNS. The value of the `_acme-challenge` CNAME record (the underscore is required) for your domain should return the value provided in the `dnsResourceRecord.data` from when you created the authorization. You can [use Google Public\n DNS](https://dns.google.com/) to quickly check that the record is resolvable and valid.\n- Ensure that the domains you are requesting certificates for either match, or are subdomains of, the authorizations you are associating with the certificate request. For example, an authorization for `media.example.com` allows you to issue certificates for `media.example.com`, `uk.media.example.com` and `staging.media.example.com`, but *not* `www.example.com`.\n- Existing [CAA records](/dns/docs/dnssec-advanced#caa) on your domain might prevent Certificate Manager from issuing certificates for your domain. You should ensure that there is a CAA record for `pki.goog` to allow Google to issue certificates for your authorized domains. If the issue is due to a CAA record restriction, the `failure_reason` field in the API response contains a value of `CAA`.\n- You can only attach certificates with scope `EDGE_CACHE` to an Edge Cache Service. If you did not explicitly specify a scope of `EDGE_CACHE` when creating the certificate, you must re-issue the certificate using an existing DNS authorization.\n\nWhen creating a certificate with multiple domain names, any invalid domain\nauthorization prevents the certificate from being issued or renewed. This ensures\nthat all of your requested domains are included in the issued certificate.\nMake sure that the DNS record, domain name, and CAA record configuration are\nvalid for each of the domains associated with a certificate.\n\nFailure reasons\n---------------\n\nThe following table describes the failure reasons that might be returned when\nattempting to issue a certificate, their causes, and suggested fixes:\n\nWhat's next\n-----------\n\n- Read [Configure SSL certificates](/media-cdn/docs/configure-ssl-certificates).\n- Understand [client connectivity](/media-cdn/docs/client-connectivity) and protocol support.\n- Review how SSL (TLS) [connections are made](/media-cdn/docs/origins#supported_origins_and_protocols) to your origins."]]
