CAA records are a type of DNS record which specifies who is authorised to deliver SSLs for the domain.  There are a number of CAA record checkers available for you to use for free (give it a quick Google), then just pop in the domain and it will show you the results.  In the example you can see that digicert.com have 2 CAA records, and that only digicert.com are authorised to apply SSLs and that they allow either just the domain or a wildcard SSL to be applied (wildcard would cover subdomains, so anything.digicert.com)



If you're trying to apply a Let's Encrypt though our platform and see the following message then it looks as though you have a CAA record in the DNS which is blocking Let's Encrypt from applying an SSL to the site.  To change this you need to look at the DNS zone that's in place for the domain on the nameservers that you're using.  Either remove the CAA that's in place or add a CAA record specifying that Let's Encrypt (letsencrypt.org) is authorised so that the SSL can be applied.