Freshworks uses LetsEncrypt as its Certificate Authority Authorization (CAA) to get certificates for custom domains.


In March 2024, the CAA updated its validation process to verify domain ownership.

  • Previously, they sent 3 validation calls from a singular region.
  • Now, they send 5 validation calls from multiple regions. This is a more secure process.


However, if you use geoblocking or have firewall rules to block requests from unknown regions, the new process may cause your certificate validation to fail. To fix this issue:

  1. (Preferred) Allow all traffic on HTTP/TCP Port 80 for request path /.well-known/acme-challenge/ from all regions.
  2. (Alternative) Avoid Geoblocking and Firewall rules based on specific regions.
  3. (Unfeasible) The DNS-01 challenge is another alternative approach. However, manual intervention is inherently required for every certificate procurement.


Learn more from the CAA.