Can't add both TXT and CNAME at the same time for "Custom Hostnames"

Hi there.

Maybe I’m doing it wrong, but I can’t make my domain connection works with the “Custom Hostnames” (Aka Cloudflare For SaaS) feature.

It asks me to add both the TXT record and the CNAME record set on my domain but my domain provider doesn’t allow it (AWS Route 53).

This is the one I’m seeing on the Cloudflare page.

And this is the setup I currently got on my Route 53.

And this is the error I get when I try to add the TXT record for the domain. It basically complains that the CNAME is already there so can’t add an additional TXT record for it.

Any advice to solve this issue?

Thanks.

1 Like

The information there is slightly unclear on what you actually need. You are correct that you cannot have a CNAME and a TXT for the same host.

If you want a simple setup then you want to use HTTP validation and just add the CNAME. This will result in a couple of minutes downtime while certificates are issued.

If you cannot tolerate downtime, you can add the TXT record first to issue the cert and then remove that and add the CNAME so it should work instantly with no downtime for validation.

https://developers.cloudflare.com/ssl/ssl-for-saas/common-tasks/certificate-validation-methods/

2 Likes

Hey. Thanks for the reply.

I think my explanation was not that much clear. What I’m trying to do is bind my domain (let’s say it’s “api.testnet.cftest.example.com”) to the “fallback domain” (it’s fallback.example.com) of my Custom Hostnames section.

The problem here is Cloudflare asks me to set both CNAME (to fallback domain) and the TXT records in order to verify my domain, but having both TXT and CNAME at the same time is not allowed.

I also tried adding the TXT record first to pass the verification and adding CNAME afterward to avoid conflict. This worked, but I’m not sure that this is the best practice. I’m worried about the SSL certificate’s renewing in this case, cause I dropped the TXT record already after the initial verification.

What is the correct way of binding the domain through the Custom Hostnames?

Thank you very much.

I think these two pages in the documentation answer your question.

https://developers.cloudflare.com/ssl/ssl-for-saas/common-tasks/certificate-validation-methods/

https://developers.cloudflare.com/ssl/ssl-for-saas/common-tasks/hostname-verification/

There is a difference between the certificate validation TXT and the hostname verification TXT.

It says this in regard to the _cf-custom-hostname TXT:

Once you activate a Custom Hostname, you can remove the TXT record.

With regard to certificate validation, it says this:

If you want to pre-validate your customer’s certificate before they set a CNAME record — either to avoid downtime or prevent any issuance errors — explore TXT , Email , or HTTP (manual) , or CNAME validation.

If you are using a proxied hostname, new certificates are automatically validated via HTTP .

So you only need the certificate TXT if you want to issue the certificate before pointing the domain, therefore removing downtime. Future certificates will use HTTP validation so will not require that TXT you added.

I believe this is correct and the documentation seems to confirm that as the best way if you want to remove downtime completely.

1 Like

Hey. Thanks a ton for the reply. I really appreciate it.

So based on my understanding, the TXT records are required once, only for the initial domain verification, and it would use the automated HTTP verification method afterward when the SSL cert needs a renewal?

The docs you attached said the HTTP renewal is fully automated. Does it mean that there’s nothing I need to do once the custom hostname is in “Active” status?

Sorry to ask you for those items which are already on the docs. I just want to double-check it since I’ll bring this up in the production.

Thanks a lot.

1 Like

That all sounds correct to me, once you’ve verified it and pointed the CNAME, there shouldn’t be anything else to do.

1 Like

Awesome! Thanks for your help!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.