diff --git a/server/lib/classes/letsencrypt.inc.php b/server/lib/classes/letsencrypt.inc.php
index 3ce63b48b48d0a86f420c5b6a1fbc4415fa33644..5a4217d6975e4d4eb22fc4526db177fbd612d217 100644
--- a/server/lib/classes/letsencrypt.inc.php
+++ b/server/lib/classes/letsencrypt.inc.php
@@ -30,7 +30,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 class letsencrypt {
 
-	/** 
+	/**
 	 * Construct for this class
 	 *
 	 * @return system
@@ -373,13 +373,38 @@ class letsencrypt {
 			if((isset($web_config['skip_le_check']) && $web_config['skip_le_check'] == 'y') || (isset($server_config['migration_mode']) && $server_config['migration_mode'] == 'y')) {
 				$le_domains[] = $temp_domain;
 			} else {
-				$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
-				if($le_hash_check == $le_rnd_hash) {
-					$le_domains[] = $temp_domain;
-					$app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
+				//check caa-record
+				$caa_check = false;
+				$caa_domain = $temp_domain;
+				$count = substr_count($caa_domain, '.');
+				if($count === 2) {
+					if(strlen(explode('.', $caa_domain)[1]) > 3) {
+						$caa_domain = explode('.', $caa_domain, 2)[1];
+ 					}
+				} else if($count > 2) {
+					$caa_domain = get_domain(explode('.', $caa_domain, 2)[1]);
+				}
+				$caa_records = @dns_get_record($caa_domain, DNS_CAA); // requieres PHP 7.0.16, 7.1.2
+				if(is_array($caa_records) && !empty($caa_records)) {
+					foreach ($records as $record) {
+						if($record['value'] == 'letsencrypt.org') $caa_check = true;
+					}
+				} else {
+					$caa_check = true;
+				}
+
+				if($caa_check === true) {
+					$le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
+					if($le_hash_check == $le_rnd_hash) {
+						$le_domains[] = $temp_domain;
+						$app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
+					} else {
+						$app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
+					}
 				} else {
-					$app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
+					$app->log("Incomplete CAA-Records for " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
 				}
+
 			}
 		}
 		$temp_domains = $le_domains;