Custom hostnames realtime validation is sometimes not working

Developers API
1

According to the documentation here https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/realtime-validation/ I understand that if the user has correctly set a CNAME entry targeting the fallback origin, realtime validation should occur with no more set up.

It’s working as expected for most of the domains, but sometimes it’s not, and it’s stuck to “Pending validation HTTP” state.

I’m creating the hostnames through the API.

This user has 4 subdomains using domains custom hostnames.
CNAME is correctly set for all domains.
Only one has been automatically generated with realtime CNAME validation.
Others won’t. I tried to recreate, manually or through the API these entries but there are stuck.

2023-09-14_10-19
2023-09-14_10-191208×426 33.8 KB

I’s like avoiding handling all the validation with the http validation.

Has anyone already encountered the issue ?

3

Hi there,

More often than not, customers have firewall rules that prevent the certificate from being validated by the CA.
Check SecurityEvents and filter by Path + Contains + /.well-known/
If you find a custom rule of yours blocking it, add the ASN as an exception to it.

Take care.

4

Thanks for the answer.
I don’t think that’s the issue, or there’s something I don’t get.

My customers should just add a CNAME entry that points to my fallback origin into their own DNS settings, and Cloudflare should automatically validate it on its own.

Moreover, for the same domain aaa.tech.com it worked, while for bbb.tech.com and ccc.tech.com it didn’t.
They have all aaa bbb and ccc a CNAME entry pointing to my fallback address.

Thanks

5

I have implemented the HTTP validation on our side, but it’s not working either.
And from my test, Cloudflare is handling the validation on its side, serving the right body corresponding to the right url, so my implementation is not necessary.

For some custom hostname, Cloudflare auto validate the SSL certificate, and for other it won’t.

It generates certificate challenges indefinitely.

Please have a look to this example.
I have created a custom hostname through an API call :

let options = {
                        method: 'POST',
                        headers: {'Content-Type': 'application/json', 'Authorization': 'Bearer ' + CLOUDFLARE_API_KEY},
                        body: '{"hostname":"' + hostname + '","ssl":{"bundle_method":"ubiquitous","method":"http","settings":{"ciphers":["ECDHE-RSA-AES128-GCM-SHA256","AES128-SHA"],"early_hints":"on","http2":"on","min_tls_version":"1.2","tls_1_3":"on"},"type":"dv","wildcard":false}}'
                    };

                    const result = await fetch('https://api.cloudflare.com/client/v4/zones/' + CLOUDFLARE_ZONE_ID + '/custom_hostnames', options);

Right after that, I’m doing Curl calls to the API each 20 seconds and I can see that is looping on generating new challenges indefinitely

$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
      "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI",
      "validation_records": [
        {
          "status": "pending",
          "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
          "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI"
        }
      ],
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
      "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI",
      "validation_records": [
        {
          "status": "processing",
          "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
          "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI"
        }
      ],
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
      "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI",
      "validation_records": [
        {
          "status": "processing",
          "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
          "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI"
        }
      ],
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
      "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI",
      "validation_records": [
        {
          "status": "processing",
          "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd",
          "http_body": "etjMYNsPXBWAUyAhW-3BSK3-Q_TTo7DDfjYZ71Mq_INOGqzwD1ok2Gnfx7BgkUNd.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI"
        }
      ],
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/878JCvcPqUdWlxtjkdONHhEWMhe8IMkcanO0199jzHh1BNBA1mYohdEg1odJfsQ_",
      "http_body": "878JCvcPqUdWlxtjkdONHhEWMhe8IMkcanO0199jzHh1BNBA1mYohdEg1odJfsQ_.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI",
      "validation_records": [
        {
          "status": "processing",
          "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/878JCvcPqUdWlxtjkdONHhEWMhe8IMkcanO0199jzHh1BNBA1mYohdEg1odJfsQ_",
          "http_body": "878JCvcPqUdWlxtjkdONHhEWMhe8IMkcanO0199jzHh1BNBA1mYohdEg1odJfsQ_.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI"
        }
      ],
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}
$ curl -X GET https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/CUSTOM_HOSNAME_ID -H "Authorization: Bearer MY_BEARER" -H 'Content-Type: application/json'
{
  "result": {
    "id": "CUSTOM_HOSNAME_ID",
    "hostname": "subdomain.domain.tld",
    "ssl": {
      "id": "b1e8f56d-4273-44a5-bdab-b41a0a404f0e",
      "type": "dv",
      "method": "http",
      "status": "pending_validation",
      "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/6efdioeMQ4jOcdfnN7alUw_dvqgPDKWkV1622IQ3fdlCx-wvp95dIlwYRuRGk0Gx",
      "http_body": "6efdioeMQ4jOcdfnN7alUw_dvqgPDKWkV1622IQ3fdlCx-wvp95dIlwYRuRGk0Gx.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI",
      "validation_records": [
        {
          "status": "pending",
          "http_url": "http://subdomain.domain.tld/.well-known/acme-challenge/6efdioeMQ4jOcdfnN7alUw_dvqgPDKWkV1622IQ3fdlCx-wvp95dIlwYRuRGk0Gx",
          "http_body": "6efdioeMQ4jOcdfnN7alUw_dvqgPDKWkV1622IQ3fdlCx-wvp95dIlwYRuRGk0Gx.r54qAqCZSs4xyyeamMffaxyR1FWYVb5OvwUh8EcrhpI"
        }
      ],
      "settings": {
        "http2": "on",
        "tls_1_3": "on",
        "min_tls_version": "1.2",
        "ciphers": [
          "AES128-SHA",
          "ECDHE-RSA-AES128-GCM-SHA256"
        ],
        "early_hints": "on"
      },
      "bundle_method": "ubiquitous",
      "wildcard": false,
      "certificate_authority": "google"
    },
    "status": "active",
    "created_at": "2023-09-18T13:33:52.590851Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}

It atlernates between no validation record at all, pending_validation status and processing status.