Edge Certificate is stuck on Pendind Validation status for a long time

Answer these questions to help the Community help you with Security questions.

What is the domain name?
jabchai.in.th

Have you searched for an answer?
Yes, I have.

Please share your search results url:

When you tested your domain, what were the results?
I got an error on the Chrome browser: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” and could not access the domain.

Describe the issue you are having:
the edge certificate is not issued and the status is set to “Pending Validation”. I have been waiting for over 12 hours.

What error message or number are you receiving?
ERR_SSL_VERSION_OR_CIPHER_MISMATCH on Google Chrome

What steps have you taken to resolve the issue?

  1. I have added all CAA records by following this link Add CAA records · Cloudflare SSL/TLS docs

  2. I have enabled and disabled the Universal SSL. As suggested in this link Troubleshooting Universal SSL · Cloudflare SSL/TLS docs, I disabled it and waited for a while before enabling it.

Was the site working with SSL prior to adding it to Cloudflare?
I’m not sure but I tried to disable the proxy and I can reach the server.

What are the steps to reproduce the error:

Have you tried from another browser and/or incognito mode?
Yes, I have tried on Microsoft Edge and Firefox. The result is still the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH on Microsoft Edge and Error code: SSL_ERROR_NO_CYPHER_OVERLAP on Firefox

Please attach a screenshot of the error:

If I look up your DNS records, the problem seems to be the following:

jabchai.in.th.          7200    IN      DS      2371 1 2 B6CE6C60C7AF31D1962B68EAC757ACF3ABCE4A3CE51665A5DE54D7A7 060FFA97

Especially, the 1 between 2371 and 2. This means your DS record is using a deprecated encryption algorithm, which in turn probably means that you have not disabled or updated your DNSSEC configuration before adding the site to Cloudflare.

Following the steps in this guide should help you fix the problem:

Also, best delete all of those CAA records again.

2 Likes

My bad, it should be 13 instead of 1. I already updated the DNSSEC to my domain registrar from 1 to 13. I have disabled and reenabled the Universal SSL and it’s worked! Thank you! :blush:

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.