Disabling Cloudflare and Changing Name Server to Digital Ocean

Due to the dispute with the web design agency, we changed the name servers of our domain name, switched to another host and we are not using cloudflare anymore. We get the following error in LetsEncrypt installation. Since we don’t have access to the Cloudflare panel, we can’t purge or delete the cache. What is your advice?



A fatal issue occurred during the DNS lookup process for /fulmaks.com/CAA.

DNS response for /fulmaks.com had fatal DNSSEC issues: validation failure <fulmaks.com. CAA IN>: No DNSKEY record from for key /fulmaks.com. while building chain of trust



An error occurred while attempting to lookup the TXT record on _acme-challenge.fulmaks.com . Any resolver errors that the Let's Encrypt CA encounters on this record will cause certificate issuance to fail.

DNS response for _acme-challenge.fulmaks.com had fatal DNSSEC issues: validation failure <_acme-challenge.fulmaks.com. TXT IN>: No DNSKEY record from 2400:cb00:2049:1::adf5:3b29 for key fulmaks.com. while building chain of trust

The nameservers are correctly set and do not point to Cloudflare any more. So, at this point you are not using any Cloudflare service.

However, your DNSSEC configuration is broken and probably still has the Cloudflare configuration, you need to change that at your registrar, to reflect whatever Digital Ocean provided you with. That is a question for them however, Cloudflare is not involved any more.

Thank you. Nameservers correctly pointed to digital ocean 24 hours ago but we are still getting DNSSEC error while installing SSL. I think need more time?

You need to have your registrar delete the DS records from your zone. Your registrar appears to be IHS Telekom.

1 Like

There is no DS record on my domain registrar control panel. When changing name server from CloudFlare to another should i remove DS records on cloudflare too?

I have no access Cloudflare control panel to remove DS record. This can effectng my issue?

Some registrars do not have DNSSEC on their control panels. How did you enable DNSSEC in the first place? Probably best to open a support ticket with your registrar.

Moral of the story: Never let another company have exclusive control over your domain.

1 Like

We changed name servers Cloudflare to Digital Ocean on our registrar. 50 + hours passed but sitill not working. When name servers directed to Cloudflare are changed, does it take longer to propagading than any of provider?

We have no access Cloudflare control panel to remove domain

It should only take 48 hours. Have you asked your registrar about this? Maybe their system is slow to broadcast the change.

Your nameservers are correct. You still have DS records in the parent zone. Ask your registrar to remove them.


At this point it has nothing to do with CF.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.