Assuming you’re using Universal SSL and Proxied (
) records, it will be mandatory for Cloudflare once in a while, to create some DNS records, in order to request a (new) certificate.
But I had personally made these DNS records visible, together with an information tag, saying something along the lines of:
These DNS records are (managed | added) by Cloudflare, in order to obtain a Universal SSL (or whatever) certificate for your domain name. Once the certificate has been issued successfully, the DNS records will be removed automatically.
Although it could possibly have been worded better, I suppose it makes enough sense, to get to the point of what I mean.
It happens from time to time, that certain domain specific, or DNS record specific things are preventing the successful issuance of a certificate.
I’m not saying it is relevant in your case, or that it will lead anywhere at all.
However, - if there is eventually something, as in just a very tiny thing, that any of the awesome Cloudflare Community members would be able to spot, when having the domain name, but that will be completely impossible to spot without, … then it would be quite sad, as we wouldn’t be able to guide you towards a better result, even though we would be happy to.
Assuming you redacted the domain alone, to “example.com”, and that you didn’t accidentally redact a part of a subdomain (e.g. making “api.lab.example.com” become “api.example.com” in your screenshot), then I am becoming curious about the following:
Is there any specific reason, why you would try to issue Advanced Certificates through a paid add-on, for a (sub-)domain, that is already covered by your Universal SSL?
In addition, -
If you expand the view of the pending certificates, does the eventual validation token(s) match the one(s), that you’re seeing via dig?
