If you are using Strapi Cloud with Custom Domains, you may already have a Certificate Authority Authorization DNS record (CAA Record) configured on your top level domain.
If this is the case you will need to add two additional values to this record or additional CAA records to ensure that Strapi Cloud can properly issue SSL certificates on your behalf for your Strapi Cloud Project.
To check if you have a pre-existing CAA record you can use the follow command on Mac and/or Linux:
dig caa yourDomain.com
Within the "Answer Section" you will see the various records if there any and will appear like so:
$ dig caa yourDomain.com ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> yourDomain.com caa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345 ;; flags: qr rd ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;yourDomain.com. IN CAA ;; ANSWER SECTION: yourDomain.com. 0 IN CAA 0 issue "someCA.com" yourDomain.com. 0 IN CAA 0 issuewild "someCA.com"
To allow Strapi Cloud to issue SSL Certificates on your behalf you will need to add the following two Certificate Authorities to your CAA records:
# CAA records added by Let's Encrypt 0 issue "letsencrypt.org" 0 issuewild "letsencrypt.org" // Optional # CAA records added by Google Trust Services 0 issue "pki.goog; cansignhttpexchanges=yes" 0 issuewild "pki.goog; cansignhttpexchanges=yes" // Optional
Strapi Cloud by default uses Google Trust Services but as a fallback we also can use Let's Encrypt thus both of these need to be added to your CAA record.
After you modify your CAA record it can take up to 24 to 48 hours to propagate the internet but once it has propagated you will need to manually trigger a new deployment of your application which will restart the SSL generation process.
If you have any issues please contact the support team using the "Help" icon within the Strapi Cloud Dashboard and open a ticket with us.