Configuring CAA DNS records for Strapi Cloud

Last updated: March 3, 2025

If you use custom domains with Strapi Cloud, you might have Certificate Authority Authorization (CAA) DNS records configured on your top-level domain. These records need specific values to allow Strapi Cloud to issue SSL certificates for your project.

Check your existing CAA records

Use this command on Mac or Linux to view your current CAA records:

dig caa yourDomain.com

The answer section will show existing records, for example:

yourDomain.com.       0       IN      CAA     0 issue "someCA.com"
yourDomain.com.       0       IN      CAA     0 issuewild "someCA.com"

Required CAA records

Add these Certificate Authority values to your DNS records:

# Let's Encrypt records
0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"

# Google Trust Services records
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "pki.goog; cansignhttpexchanges=yes"

Important

  1. Strapi Cloud primarily uses Google Trust Services

  2. Let's Encrypt serves as a fallback

  3. Add both providers to ensure certificate generation

  4. Wild card records (issuewild) are optional

After updating records:

  1. Wait 24-48 hours for DNS propagation

  2. Trigger a new deployment to restart SSL generation

Need help? Contact our support team through the help icon in your Strapi Cloud dashboard.