Cloudflare for SaaS: SSL stuck on pending_validation

I have a few customers using less common TLDs that have trouble validating their SSL certificate.

We tried both the delegated method and the TXT method. I have confirmed the DNS records were indeed correct using dnschecker.

I suspect DNSSEC is not the issue here. Of the customers who are stuck with pending validation, one has it enabled, the other not.

Any pointers on how this can be solved?

  1. Can you share the actual (sub-)domain names that are stuck on pending validation?

  2. Can you share the exact name of any record(s), which you have been told to add to DNS, as a part of the validation process?

1 Like

@DarkDeviL Thanks for the reply.

  1. Can I share the custom hostname IDs instead? Sorry I’m new on the forum here, I can’t tell if you are a Cloudflare employee with access to a backend?
  2. I should clarify the hostname is verified successfully, only the certificate is not.
  • For TXT method, the customer added a TXT record with the name _acme-challenge.<hostname> with a value of a long string.
  • For Delegated method, the customer added a CNAME with name _acme-challenge.<hostname> with a value of <hostname>.<string>.dcv.cloudflare.com

If it helps, one is on the .ac domain, the other is a double nested hostname on a (country) .gov domain. I’ve tried with .com and never had this issue.

In addition, I believe the HTTP method should also work too, without the other two methods. If I do a GET request to their <hostname>/.well-known/acme-challenge/<string> path, it returns the right value. I can’t get that from the browser though because it redirects to HTTPS.

At the time of writing this → No, I am not an employee, and I don’t have access to the backend.

However, both I (as well as many other helpful Community members) may be able to dig in to the problem together with you, and eventually be able to pinpoint the exact place where a misconfiguration could be.

Custom hostname ID, or any other of such internal ID’s won’t be helpful for any of us, as we do not have access to connect them together, or to anything at all.

Thanks @DarkDeviL, let me share one specific case.

The custom hostname is www.ivan.ac. Its CNAME is pointed at my fallback origin custom.nino.page. The delegated method _acme-challenge CNAME is pointed correctly to my internal destination (DNS Checker - DNS Check Propagation Tool). The TXT method value is unfortunately outdated at this point, but it was also correct. The HTTP method also has changing paths, but right now it’s http://www.ivan.ac/.well-known/acme-challenge/q0g_kSYZUtSX5JP05-TFHrCX0ADxlRSLrV_-hiyZdP0SXaSnbOj4OK1uBcmTaWR6 and having the correct value. Any ideas?

The solution is to add CAA records on the root

Hostname: @
Data: 0 issue “pki.goog; cansignhttpexchanges=yes”

Hostname: @
Data: 0 issuewild “pki.goog; cansignhttpexchanges=yes”

Thank you for getting back with the solution!

The CAA being the culprit, while the status is referring to to the TXT with “Pending Validation (TXT)” sounds a bit misleading though, so I’m wondering:

Have you tested and confirmed that CAA was the solution on all of the problematic (sub-)domains, or if it only worked for some of them?

Yeah it seems like GTS (Google Trust Services) is not being recognized by default on certain registries. I got this from a message in the Cloudflare discord community. GTS might be gradually supported over time though, so future users might not have to do this.

This solution worked for my problematic domains, including the nested ones.