Google-managed certificate with DNS authorization doesn't work with my domain

I created a Google-managed certificate using this tutorial.
After getting the creating the DNS authorization, I created a CNAME record with _acme-challenge and the target provided to me.

After more than a day the certificate is still stuck on AUTHORIZING. The weird thing is that it only happens on my Cloudflare managed domain.
So my-domain.xyz was purchased on some registrar and I manage its DNS in Cloudflare.
my-other-domain.xyz was purchased on another registrar and the DNS is still managed there.

So I tested:

  • I created a certificate for both domains
  • Created a DNS authorization for both domains
  • added the C NAME record of the _acme-challenge for both domains

The result is that after about an hour, the domain which isn’t managed in Cloudflare already has a working certificate, while the other one is pending activation.

Can anyone help me understand what I’m doing wrong? I had a bunch of M_X records as well as a single TXT record which was generated by default I guess, so I deleted everything and currently the only record there is the CNAME ACME record. After deleting everything I re-created my DNS Authorization and I’m still for the certificate to be valid.

Checking with online nslookup tools, I get a valid response:

Any help would be appreciated :slight_smile:

(Sorry for typing the record names in a weird way, I got an error saying I can’t use more than 4 hyperlinks but it automatically creates a link to “C NAME” and “M X”)

What is the domain?

beinish.xyz is the one managed in Cloudflare

Your DNSSEC configuration is broken and needs to be updated:

dig @1.1.1.1 _acme-challenge.beinish.xyz

; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> @1.1.1.1 _acme-challenge.beinish.xyz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14260
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 2 (Unsupported DS Digest Type): (for DS beinish.xyz.)
;; QUESTION SECTION:
;_acme-challenge.beinish.xyz.   IN      A

;; ANSWER SECTION:
_acme-challenge.beinish.xyz. 300 IN     CNAME   b1e9ea7e-d3b5-4976-8cb6-7db118d4eeed.12.authorize.certificatemanager.goog.

;; AUTHORITY SECTION:
12.authorize.certificatemanager.goog. 60 IN SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 60

;; Query time: 104 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jun 11 15:39:48 CEST 2024
;; MSG SIZE  rcvd: 261

This part here:

; EDE: 2 (Unsupported DS Digest Type): (for DS beinish.xyz.)
2 Likes

Thank you, it solved the issue :slight_smile:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.