Edge certificate stucks in pending validation

What is the name of the domain?

f2agilenet.f2a.biz

What is the error number?

The site is down if the CNAME is created and the certificate remains in pending validation

What is the error message?

The edge certificate (Let’s Encrypt provided by Cloudflare) stucks in pending validation

What is the issue you’re encountering

After the CNAME record creation within the DNS (and the record A was deleted) the edge certificate stuck in pending validation for several hours.

What steps have you taken to resolve the issue?

The issue is not solved. Customer needed to roll-back as the site is in production (e.g. it is not a test site).

What feature, service or problem is this related to?

DNS not responding/updating

What are the steps to reproduce the issue?

We tried to change the proxy status to proxied to dns, we waited for at least a minute and then we moved again the proxy status from DNS to proxied.
We disabled universal SSL and re-enabled it after at least one minute.

You have DNSSEC enabled so you either need to disable it before changing the nameservers or add the DS records from Cloudflare to your registrar from here…
https://dash.cloudflare.com/?to=/:account/:zone/dns/settings

Also, your domain has expired…
https://cf.sjr.org.uk/tools/check?c863c633821e4fe4adba6c3cc7ae0d64#whois

Hi,
Now I resumed the DNS record (whithin Cloudflare) from Proxied to DNS only.
Which is the right check list in order to perform a new on-boarding domain such as f2agilenet.f2a.biz?

Thank you.
Diego M.

Disable DNSSEC at your registrar first. Without doing that, the change of nameservers will mean your domain will not resolve for DNSSEC using resolvers, or allow the issuing of your Universal SSL certificate.

Hi,
many thanks for your notice.
I will update the customer about that.

The end customer replied me as “sorry but it’s not possible, DNSSEC is set as security, I can’t disable it.
Furthermore, DNSSEC is also active for F2D.BIZ domain (e.g. another domain managed in Cloudflare), you can check it too”

Sorry, yes, missed this is a partial CNAME setup.

Ok, thanks.
For this reason I can’t understand why the certificate validation stucked in pending validation after the CNAME setup…

Could you please summarise the steps in order on boarding a domain (partial with CNAME) in Cloudflare?
I need to clarify them to the end customer.
Thanks.

What is the name of the domain?

f2a.biz

What is the error number?

n/a

What is the error message?

Edge certificate in Pending validation after adding the CNAME

What is the issue you’re encountering

The Edge certificate remains in Pending validation after adding the CNAME

What steps have you taken to resolve the issue?

  1. We have tried to disable-renable the proxy status from Proxied to DNS only and then again from DNS only to Proxied (we waited for 1-2 minutes between the operations).
  2. After step 1, we disable-renable the Universal SSL service (we waited for 1-2 minutes between the operations).

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

Once the domain is active there are also steps for SSL verification w/o downtime.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.