SSL _acme-challenge records present in DNS but still Pending Validation (TXT)

What is the domain name?

Have you searched for an answer?

Please share your search results url:

When you tested your domain using the [Cloudflare Diagnostic Center], what were the results?

Describe the issue you are having:
SSL _acme-challenge records present in DNS but still Pending Validation (TXT)

dig TXT _acme-challenge(dot)bleif(dot)com(dot)ar

çWhat error message or number are you receiving?
Pending Validation (TXT)

Was the site working with SSL prior to adding it to Cloudflare?

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

That’s an issue. Your site needs to be secure before you use Cloudflare.

I’m using flexible enc mode in CF
Also, the domain didnt have any ssl before, and we just change site hosting server and changed DNS to point to CF

Yeah, precisely, that’s the issue, you are using an insecure legacy mode, which means your whole site is still insecure.

You best pause Cloudflare and make sure it loads fine on HTTPS without Cloudflare, then it will also work on Cloudflare.

Well, I don’t have origin certificates, for that I’m using flexible. I also enabled flexible for a lot of clients, this is the first time I’m getting this issue.

I have disabled universal SSL, waited 5 mins and re enabled it, now dig TXT lists the correct records and keys, but still pendoing txt validation

Did something changed in CF in the past month? Is still possible to get flexible SSL enc? (without SSL on origin)


You best take a look at that article

Thanks @sandro ! I already know that, but I can’t get the origin to get SSL protected, so my only choice for many clients is to get flexible CF enc. In this case, it’s stuck in validating TXT records, that, as far as I can tell, are already present.

Why can’t you get a certificate? They are literally available everywhere.

The issue is that you keep all your clients’ sites insecure because you force them onto HTTP. Do they know about that? Configuring a certificate is a matter of seconds, so you should really fix that first.

Hard to explain!

Please focus in the current issue, ¿can you help me to get Pending Validation (TXT) working? If no, thanks a lot for your suggestions.

I really appreciate your time as a MVP, but currently I need this particular issue fixed, which, by the way, is the first time I face this in 10 years working with CF services.

But that is the current issue. You want your site on HTTPS, right? With your settings it isn’t and that’s what you need to fix. That starts with the server certificate and once that works, we can check anything else. Hence it is important to first fix that.

Ok, soy you are telling me that there’s no way to get flexible SSL working anymore in CF? Any blog post or news about that?

Please refer to the previous article I posted.

But it is really easy, you want the site to be secure, right? Then you need to fix the server first.

On the other, if you do not need SSL, switch the encryption mode to Off and you should not run into validation issues, as SSL won’t be required any more.

Well, in this specific client the hosting CP allows me to manually install certificates, but here in argentina that’s very rare. Most of the hosting providers sells you the SLL cert and don’t allow you to manually install your own cert.

Already installed the cert

Disabled, waited and re enabled Universal SSL and also changed enc to full, the issue persists

Pending Validation (TXT)

Yes, some hosts do that, but in that case it’s best to switch host as a host should always provide you with the ability to confgure your own certificate and most hosts do that.

As for the issue, can you verify if you may have to restart something, as it still seems to show an invalid certificate.

Well, this is basic shared hosting, so no access to almost anything, only a Control Panel and that’s all. After installing the cert, the hosting CP told me that the cert was successfully installed, and that’s all I can do from this end

In that case I’d contact them to clarify this as it doesn’t seem to be working yet. Did you verify that the IP address itself is correct?

That’s what I’m trying to tell from the first post.

Now I’ve disabled CF DNS proxyes of all DNS entryes, and disabled universal SSL and now the site seems to work, but failing as Unknown Cert Issuer

Will wait a minute or two and re enable proxy, universal SSL and so on