European domain .it .fr .eu, SSL Pending validation

i have search all anwsers. .it .fr .eu domains if enable ssl, always in Pending validation, No matter how long you wait。

None of these can solve my problem。I found that this happens only with European domain names, the others do not。 i have try many domains, this problem has been going on for several months。

An example is given below,

domain oneiron.it , http:// is ok, https:// can’t visit.

curl https://www.oneiron.it -Iv
* About to connect() to www.oneiron.it port 443 (#0)
*   Trying 172.67.175.199...
* Connected to www.oneiron.it (172.67.175.199) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Closing connection 0
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).

https://api.cloudflare.com/client/v4/zones/:zone_id/settings/ssl

{
    "result": {
        "id": "ssl",
        "value": "flexible",
        "modified_on": "2021-12-15T12:52:07.020920Z",
        "certificate_status": "pending_validation",
        "validation_errors": [],
        "editable": true
    },
    "success": true,
    "errors": [],
    "messages": []
}

https://api.cloudflare.com/client/v4/zones/:zone_id/ssl/verification?retry=true

{
    "result": [
        {
            "certificate_status": "pending_validation",
            "cert_pack_uuid": "a92fb634-61e8-456e-a95e-c3526d617648",
            "validation_method": "txt",
            "validation_type": "dv",
            "verification_info": {
                "txt_name": "oneiron.it",
                "txt_value": "ca3-fd8ca7dba180405e9d4ef03269afceca"
            },
            "hostname": "*.oneiron.it"
        }
    ],
    "success": true,
    "errors": [],
    "messages": []
}

txt record is exist.

host -t txt oneiron.it
oneiron.it descriptive text "ca3-fd8ca7dba180405e9d4ef03269afceca"

https://api.cloudflare.com/client/v4/zones/:zone_id/settings

{
    "result": [
        {
            "id": "0rtt",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "advanced_ddos",
            "value": "on",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "always_online",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "always_use_https",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "automatic_https_rewrites",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "brotli",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "browser_cache_ttl",
            "value": 14400,
            "modified_on": null,
            "editable": true
        },
        {
            "id": "browser_check",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "cache_level",
            "value": "aggressive",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "challenge_ttl",
            "value": 1800,
            "modified_on": null,
            "editable": true
        },
        {
            "id": "ciphers",
            "value": [],
            "modified_on": null,
            "editable": true
        },
        {
            "id": "cname_flattening",
            "value": "flatten_at_root",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "development_mode",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "early_hints",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "edge_cache_ttl",
            "value": 7200,
            "modified_on": null,
            "editable": true
        },
        {
            "id": "email_obfuscation",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "filter_logs_to_cloudflare",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "hotlink_protection",
            "modified_on": null,
            "value": "off",
            "editable": true
        },
        {
            "id": "http2",
            "value": "on",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "http3",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "ip_geolocation",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "ipv6",
            "value": "on",
            "modified_on": "2021-12-14T09:31:39.202692Z",
            "editable": true
        },
        {
            "id": "log_to_cloudflare",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "max_upload",
            "value": 100,
            "modified_on": null,
            "editable": true
        },
        {
            "id": "min_tls_version",
            "value": "1.0",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "minify",
            "value": {
                "css": "off",
                "html": "off",
                "js": "off"
            },
            "modified_on": null,
            "editable": true
        },
        {
            "id": "mirage",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "mobile_redirect",
            "value": {
                "status": "off",
                "mobile_subdomain": null,
                "strip_uri": false
            },
            "modified_on": null,
            "editable": true
        },
        {
            "id": "opportunistic_encryption",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "opportunistic_onion",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "orange_to_orange",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "origin_error_page_pass_thru",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "polish",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "prefetch_preload",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "privacy_pass",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "proxy_read_timeout",
            "value": "100",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "pseudo_ipv4",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "response_buffering",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "rocket_loader",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "security_header",
            "modified_on": null,
            "value": {
                "strict_transport_security": {
                    "enabled": false,
                    "max_age": 0,
                    "include_subdomains": false,
                    "preload": false,
                    "nosniff": false
                }
            },
            "editable": true
        },
        {
            "id": "security_level",
            "value": "medium",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "server_side_exclude",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "sort_query_string_for_cache",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "ssl",
            "value": "flexible",
            "modified_on": "2021-12-15T12:52:07.020920Z",
            "certificate_status": "pending_validation",
            "validation_errors": [],
            "editable": true
        },
        {
            "id": "tls_1_2_only",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "tls_1_3",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "tls_client_auth",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "true_client_ip_header",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "visitor_ip",
            "value": "on",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "waf",
            "value": "off",
            "modified_on": null,
            "editable": true
        },
        {
            "id": "webp",
            "value": "off",
            "modified_on": null,
            "editable": false
        },
        {
            "id": "websockets",
            "value": "on",
            "modified_on": null,
            "editable": true
        }
    ],
    "success": true,
    "errors": [],
    "messages": []
}
名称ID 修改时间 是否可编辑
0rtt off true
advanced_ddos on false
always_online on true
always_use_https off true
automatic_https_rewrites on true
brotli on true
browser_cache_ttl 14400 true
browser_check on true
cache_level aggressive true
challenge_ttl 1800 true
ciphers true
cname_flattening flatten_at_root false
development_mode off true
early_hints off true
edge_cache_ttl 7200 true
email_obfuscation on true
filter_logs_to_cloudflare off true
hotlink_protection off true
http2 on false
http3 on true
ip_geolocation on true
ipv6 on 2021-12-14T09:31:39.202692Z true
log_to_cloudflare on true
max_upload 100 true
min_tls_version 1.0 true
minify [object Object] true
mirage off false
mobile_redirect [object Object] true
opportunistic_encryption on true
opportunistic_onion on true
orange_to_orange off true
origin_error_page_pass_thru off false
polish off false
prefetch_preload off false
privacy_pass on true
proxy_read_timeout 100 false
pseudo_ipv4 off true
response_buffering off false
rocket_loader off true
security_header [object Object] true
security_level medium true
server_side_exclude on true
sort_query_string_for_cache off false
ssl flexible 2021-12-15T12:52:07.020920Z true
tls_1_2_only off true
tls_1_3 on true
tls_client_auth off true
true_client_ip_header off false
visitor_ip on true
waf off true
webp off false
websockets on true

below method is not work for my domains.

  1. Grey-cloud/deactivate Cloudflare so that the website uses the origin’s SSL certificate
  1. Re-start the process
  • Go to the SSL/TLS app on your Cloudflare dashboard and scroll down to the bottom
  • Click the Disable Universal SSL
  • Wait for a few minutes then click the Enable Universal SSL
  1. PATCH the validation method with the API using https://api.cloudflare.com/#ssl-verification-edit-ssl-certificate-pack-validation-method .

-Turn SSL OFF
-Wait 3 minutes
-Disable Universal SSL
-Wait 5 minutes
-Enable Universal SSL
-Wait 5 minutes
-Turn SSL On (Flexible)
-Wait ± 15 minutes
-Activeted Certificate

waiting than 24 hours…

It looks like a propagation issue. For how long has this been going on?

This domain has been more than 3 days, in fact, other .it .eu .fr domain is still the same even after waiting for a week

oneiron.it has DNSSEC enabled. Can you turn this off at your registrar until the process finishes?

2 Likes

DNSSEC has disabled.

solved.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.