CAA (Certification Authority Authorization) is an optional DNS record that tells certificate authorities which providers are allowed to issue TLS certificates for your domain. Most domains do not have CAA records, in which case there is nothing to do — TLS issuance for your Onelink subdomain will just work.
If your root domain
does have CAA records, you must explicitly allow
Let's Encrypt, which is the certificate authority we use. Add the following entry alongside your existing CAA records, on the subdomain you're using with Onelink.to:
- Type:
CAA - Name: your subdomain (e.g.
app) - Data:
0 issue "letsencrypt.org" - TTL:
3600 (or Auto)
Not sure if your domain has CAA records? Open your DNS provider's dashboard and look for any entries of type CAA on the root domain. If there are none, you can skip this step entirely. If there are, add the entry above before clicking "Setup Domain" — otherwise certificate issuance will fail and verification will not complete.