Since Dec. 2nd been having issue with one of my site SSL. I check Cloudflare forum about this but it seems can’t find a solution. I saw some says disable universal ssl, I did this “disable universal ssl” for 30 minutes then enable no go. tried disabling universal ssl for 1 day then enable it and still no go. Still pending validation. any help? thanks.
What’s the domain?
ochoa.rocks
Thanks, it looks like you’ve already tried the troubleshooting suggestions and the domain setup looks OK. I’ve escalated this issue to Support.
1 Like
Thank you so much.
Just check the SSL today I noticed there’s 2 pending validation, last time i check there’s only one. How long does this SSL pending to be validated? thanks.
Hi @boytigas we took a look at this and you are delegating the DNS resolution for the _acme-challenge records on your domain to GreenGeeks:
_acme-challenge.ochoa.rocks. 300 IN NS ams-ns1.greengeeks.com.
_acme-challenge.ochoa.rocks. 300 IN NS chi-ns1.greengeeks.com.
_acme-challenge.ochoa.rocks. 300 IN NS chi-ns2.greengeeks.com.
;; Received 136 bytes from 173.245.59.123#53(jay.ns.cloudflare.com) in 41 ms
_acme-challenge.ochoa.rocks. 307 IN TXT "D-b3-VJDtrDq-AKMg-IwCkDil8Ph1x3bLVVOzHMYllI"
_acme-challenge.ochoa.rocks. 307 IN TXT "YGj2cNDhYAUtPJcjnEDY8pFSZj-9NY5jaTQR6SnbAW4"
;; Received 168 bytes from 107.6.141.186#53(ams-ns1.greengeeks.com) in 47 ms
This will block Cloudflare’s Universal SSL from placing _acme-challenge records to validate the certificate. So that’s why you see Pending Validation. It looks like GreenGeeks use LetsEncrypt which Cloudflare also use (as well as other ACME compatible CAs) for Universal SSL.
Option 2 of the instructions ( Let's Encrypt Installation Process ) from GreenGeeks are unfortunately causing a conflict here.
If Greengeeks allow an Origin CA cert to be installed instead, that would be a better option. But either way, you have to remove that NS delegation for _acme-challenge so that Universal SSL can issue.
So… the solution is either:
- Remove the NS delegation for
_acme-challengeand install Origin CA on the origin instead of LetsEncrypt (not sure if GreenGeeks allow this). This would be our recommended option if all of your DNS records pointing to the origin are orange-clouded, because the Origin CA cert can be long-lived and won’t need to be constantly renewed. - Remove the delegation and do manual TXT validation for the GreekGeeks LetsEncrypt cert (that’s Option 3 on GreenGeeks’ Let’s Encrypt Installation Process ). This will require you to update the TXT records in your Cloudflare DNS every ~60 days so that the GreenGeeks LetsEncrypt cert installed on your origin is renewed.
3 Likes
Thank you for your reply. I just remove the NS delegation. Hope this will fix this issue. Thanks.
It will allow the Cloudflare Universal SSL to issue - but your origin LetsEncrypt cert will fail to renew if you don’t choose one of the two options I mentioned above.
I would recommend contacting GreenGeeks here and showing them the reply above to get their recommendation. Please share it here 
.
Spoke with GreenGeeks told me to just put flexible on my Cloudflare ssl settings.
That’s not a good idea, an origin certificate would be a much much better choice. It’s disappointing that instead of addressing the issue the provider wants you to significantly downgrade the transport security of your website.
1 Like
Thank you for all the help SSL is now working. Greengeeks turn off or remove the ssl on their end so it doesn’t conflict. also i have configured full ssl instead of flexible. again thank you so much.
Unfortunately, Full is still insecure as there is no validation. It should be Full Strict.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.