Edge Certificates Pending TXT Validation - more than 48 hours

Answer these questions to help the Community help you with Security questions.

What is the domain name?
http://thehomebuyerclub.co.uk

Have you searched for an answer?
yes

Please share your search results url:
other articles found but not solution fopr my problem

When you tested your domain, what were the results?
I have turned off A proxy and the site does load but i need it to be turned on and this stops the site from loading

Describe the issue you are having:
Site loading

Desktop: https://i.imgur.com/38vbkOu.png
Mobile: https://i.imgur.com/m2uS5Tx.png

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. Disable a record proxy
  2. Disabled Universal SSL and reenabled after 4 hours
  3. Set SSL/TLS encryption mode is Full Strict

Was the site working with SSL prior to adding it to Cloudflare?
This is a new site, domains origionally purchased from google and never used them moved to namecheap and connected to CF for first use

What are the steps to reproduce the error:

  1. head to the website http://thehomebuyerclub.co.uk

Have you tried from another browser and/or incognito mode?

Yes, this site will load in private with the A record proxy turned off

Please attach a screenshot of the error:

Desktop: https://i.imgur.com/38vbkOu.png
Mobile: https://i.imgur.com/m2uS5Tx.png

https://dnsviz.net/d/thehomebuyerclub.co.uk/dnssec/

; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for thehomebuyerclub.co.uk.)

Your DNSSEC Configuration is broken.

It looks like you had DNSSEC Set up at your old DNS Host. Not all DNS Resolvers validate DNSSEC, some ISP-operated Resolvers don’t, but most Public ones and Certificate Providers do, which will prevent them from resolving your site/issuing a certificate.

You’ll want to either outright disable DNSSEC, or enable DNSSEC with Cloudflare and update your DNSSEC configuration with the information Cloudflare gives you:

These changes to your DNSSEC Configuration can be done at your Registrar, Namecheap.

After you make these changes to fix your DNSSEC Configuriation, the certificate issuance should retry after a bit and succeed. You can use the dnsviz.net tool and click “Update Now” to confirm you fixed the issue, no “BOGUS” status/notices should appear. It will take a bit for changes you make at your registrar to apply though.

2 Likes

Looks like you have invalid DNSSEC records with your registrar. You’ll want to remove those. It may take up to 12 hours for that propagate.

https://dnsviz.net/d/thehomebuyerclub.co.uk/dnssec/

2 Likes

Hi, we do not use DNSSEC on Namecheap so I’m even more confused now https://i.imgur.com/JwSXUaC.png it is possible that this was turn on when we purchased the domain from google many months back but it’s clearly turned off in google.

This domain was transferred to Namecheap from Google around 6 days ago.

any further thoughts?

Hi there,

I do not have DNSSEC set up with Namecheap at the time of writing the original post, could this still be set up in the old Google Domains where the domain was originally hosted?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.