From b3c83252658ee0b327d3649aae96b06b58643f63 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 15 Jan 2025 15:48:16 +0000
Subject: [PATCH 1/3] Add ssl.com CAA examples to SSL4SaaS troubleshooting

---
 .../cloudflare-for-saas/reference/troubleshooting.mdx      | 7 +++++--
 .../validate-certificates/troubleshooting.mdx              | 3 ++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
index b1733cfdc90891f..0c96c5cd8b3d54d 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/troubleshooting.mdx
@@ -66,11 +66,14 @@ You will need to ensure that the required CAA records for the selected Certifica
 For example, here are the records required to issue [Let's Encrypt](https://letsencrypt.org/docs/caa/) and [Google Trust Services](https://pki.goog/faq/#caa) certificates:
 
 ```
+example.com CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
+example.com CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
+
 example.com CAA 0 issue "letsencrypt.org"
 example.com CAA 0 issuewild "letsencrypt.org"
 
-example.com CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
-example.com CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
+example.com CAA 0 issue "ssl.com"
+example.com CAA 0 issuewild "ssl.com"
 ```
 
 More details can be found on the [CAA records FAQ](/ssl/edge-certificates/troubleshooting/caa-records/).
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/troubleshooting.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/troubleshooting.mdx
index dda50fdb9ed58ba..e9fb440badc31ad 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/troubleshooting.mdx
@@ -26,8 +26,9 @@ CAA is a DNS resource record type defined in [RFC 6844](https://datatracker.ietf
 If your customer has CAA records set on their domain, they will either need to add the following or remove CAA entirely:
 
 ```txt
-example.com. IN CAA 0 issue "letsencrypt.org"
 example.com. IN CAA 0 issue "pki.goog"
+example.com. IN CAA 0 issue "letsencrypt.org"
+example.com. IN CAA 0 issue "ssl.com"
 ```
 
 While it is possible for CAA records to be set on the subdomain your customer wishes to use with your service, it will usually be set on the domain apex. If they have CAA records on the subdomain, those will also have to be removed.

From cb7be449dd282dd783a737f051a0ba414fac0dfa Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 15 Jan 2025 15:51:33 +0000
Subject: [PATCH 2/3] Add ssl.com to CAA records in debugging-pages.mdx

---
 src/content/docs/pages/configuration/debugging-pages.mdx | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/content/docs/pages/configuration/debugging-pages.mdx b/src/content/docs/pages/configuration/debugging-pages.mdx
index 2a4f6609e3bbbb2..803735ff077f880 100644
--- a/src/content/docs/pages/configuration/debugging-pages.mdx
+++ b/src/content/docs/pages/configuration/debugging-pages.mdx
@@ -159,9 +159,11 @@ To resolve this, you will need to add the following CAA records which allows all
 example.com.            300     IN      CAA     0 issue "comodoca.com"
 example.com.            300     IN      CAA     0 issue "letsencrypt.org"
 example.com.            300     IN      CAA     0 issue "pki.goog; cansignhttpexchanges=yes"
+example.com.            300     IN      CAA     0 issue "ssl.com"
 example.com.            300     IN      CAA     0 issuewild "comodoca.com"
 example.com.            300     IN      CAA     0 issuewild "letsencrypt.org"
 example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"
+example.com.            300     IN      CAA     0 issuewild "ssl.com"
 ```
 
 ### Zone holds

From a62321d48162ff64779b0e4ecaa66b0e9894422f Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <rtamachiro@cloudflare.com>
Date: Wed, 15 Jan 2025 15:52:50 +0000
Subject: [PATCH 3/3] Remove Comodo CA from CAA records in debugging-pages

---
 src/content/docs/pages/configuration/debugging-pages.mdx | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/content/docs/pages/configuration/debugging-pages.mdx b/src/content/docs/pages/configuration/debugging-pages.mdx
index 803735ff077f880..d5ecaec0fccd711 100644
--- a/src/content/docs/pages/configuration/debugging-pages.mdx
+++ b/src/content/docs/pages/configuration/debugging-pages.mdx
@@ -156,11 +156,9 @@ In the above example, there is only a single CAA record which is allowing Amazon
 To resolve this, you will need to add the following CAA records which allows all of the Certificate Authorities (CAs) Cloudflare uses to issue certificates:
 
 ```
-example.com.            300     IN      CAA     0 issue "comodoca.com"
 example.com.            300     IN      CAA     0 issue "letsencrypt.org"
 example.com.            300     IN      CAA     0 issue "pki.goog; cansignhttpexchanges=yes"
 example.com.            300     IN      CAA     0 issue "ssl.com"
-example.com.            300     IN      CAA     0 issuewild "comodoca.com"
 example.com.            300     IN      CAA     0 issuewild "letsencrypt.org"
 example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"
 example.com.            300     IN      CAA     0 issuewild "ssl.com"