Origin certificate failed to renew with error Failed to sign certificate request

What is the name of the domain?

identity.sandbox.limepay.com.au

What is the error number?

1010

What is the error message?

Failed to validate requested hostname identity.sandbox.limepay.com.au: This zone is either not part of your account, or you do not have access to it. Please contact support if using a multi-user organization

What is the issue you’re encountering

Cloudflare seem to be confused by our account. We have some free sites, but also some Pro (including this one) and Business sites. When I raised a ticket on this issue selecting the pro site limepay.com.au

What steps have you taken to resolve the issue?

I raised a support ticket twice but each time I get an auto-response from Cloudflare saying I should upgrade to Pro or Business to raise tickets.

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Strict (SSL-Only Origin Pull)

What are the steps to reproduce the issue?

We use cloudflare origin ca issuer to generate certificates for our K8 services. This failed for one of our services recently with this error:

Failed to sign certificate request: unable to sign request: Cloudflare API Error code=1010 message=Failed to validate requested hostname identity.sandbox.limepay.com.au: This zone is either not part of your account, or you do not have access to it. Please contact support if using a multi-user organization.

Just in case, may I ask if you’re using an Advanced Certificate Manager as well for such deep sub-domain? :thinking:

Could you please share your ticket number here with us so I could escalate this to the team? Thank you in advance.

1 Like

Hi fritex

The case number for the original ticket is 01124686. The second ticket is 01134252

We are using Advanced Certificate Manager to take advantage of Cloudflare WAF and CDN support. We setup the certification packs using terraform. We have something like 20 sub-domains set up this way, and this is the only sub-domain where auto-renewal of the internal certificate failed.

The domains on Cloudflare are setup to achieve A+ SSL rating SSL Labs test plus some other headers to achieve PCI compliance:

  • CAA records are set
  • HSTS strict-transport-security: max-age=31536000; includeSubDomains; preload
  • No sniff header x-content-type-options: nosniff
  • TLS 1.2 min is set with weak TLS cyphers disabled

For services proxied via Cloudflare and subject to double TLS termination, we annotate the Ingress resource to use origin-ca Issuer which will automatically generate a Kubernetes TLS secret via cert-manager (using DNS validation).

Thank you for feedback and sharing ticket number here. I’ve escalated your case to the team.

Kindly and patiently wait for a reply.

Sorry this is happening for you.

I asked for some more information in the ticket that you sent in, so we can track down the cause of this error.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.