Certificate status is stuck in Pending Validation

I am trying to create a custom hostname using Cloudflare for Saas.

I was able to create custom hostnames only a short time ago but I am unable to create new ones because the certificate status keeps getting stuck in “Pending Validation”.

The hostname validation record (_cf-custom-hostname.example) is recognized soon after it is created.

However, the cert validation record (_acme-challenge.example) is not getting recognized.

Instead, the API will turn the status to “processing”, and then issue a new TXT record for me to create instead of validating the first one. I do not know of any logs that I can check but I suspect that there is something going wrong on Cloudflare’s end becase like I said, I have custom hostnames which I created last month that were created just fine.

Also, this is only happenning when Cloudflare selects Google Trust Services to create the cert. Let’s Encrypt works just fine.

Can you share the actual domain(s), hostname(s) and validation record(s) you are referring to, where this is causing problems?

Don’t want to share my exact domain but it is an obscure country code TLD, using Cloudflare’s nameservers.

I’ve tested custom hostnames on standard ‘.com’ TLDs using Google’s nameservers and GTS worked fine.

My theory is that it has something to do with GTS not trusting certain country codes but I’m not 100% sure.

That is perfectly fine.

It does however eliminate the possibility for anyone to attempt to provide any assistance.

Especially given this, there is actually several enthusiasts around on the Cloudflare Community, that could possibly take a look and see if they find something that looks odd, although, that would be completely impossible without that kind of information.

.mp is the country code if that helps.

I can now also confirm that this is a problem with HTTP verification as well.

I take it back. HTTP validation solved it. But it still rotated the secret several times. I’m wondering now if I had continuosly sat there and updated the TXT record, would GTS eventually validated my cert?

The .MP TLD does not have DNSSEC on it’s chain, otherwise I would actually suggest you to look into that, e.g. similar to here:

→ Edge Certificates (pending validation Txt) 24hr+ - #2 by DarkDeviL

That one is actually weird, and may point in the direction that you could have some DNS records that may be conflicting with the records for the domain validation.

If you are having some NS on the same label, or one of it’s parents, where the validation record would be below, that could possibly cause issues.

Or otherwise having records that cannot co-exist with other (e.g. attempting both CNAME and TXT records at the same label), such things can cause problems too.

IIRC, I believe Cloudflare is actually rejecting the creation of the invalid CNAME/TXT combo though.

If GTS checks the DNS token, and that the DNS token that they want to see, is different from what is actually shown on that record, it will indeed prevent the validation from succeeding.

I do however believe it will be wild guessing trying to figure out what went wrong.

Anyway, I’m happy to hear you’ve solved your problem, thanks for returning to the Community about that!