SSL _acme-challenge records present in DNS but still Pending Validation (TXT)

adsense-ar · January 6, 2023, 6:04pm

What is the domain name?
bleif(dot)com(dot)ar

Have you searched for an answer?
Yes

Please share your search results url:
search?q=_acme-challenge%20still%20Pending%20Validation%20(TXT)

When you tested your domain using the [Cloudflare Diagnostic Center], what were the results?

Describe the issue you are having:
SSL _acme-challenge records present in DNS but still Pending Validation (TXT)

dig TXT _acme-challenge(dot)bleif(dot)com(dot)ar

çWhat error message or number are you receiving?
Pending Validation (TXT)

Was the site working with SSL prior to adding it to Cloudflare?
No

Have you tried from another browser and/or incognito mode?
No

Please attach a screenshot of the error:

sandro · January 6, 2023, 6:08pm

That’s an issue. Your site needs to be secure before you use Cloudflare.

adsense-ar · January 6, 2023, 6:11pm

I’m using flexible enc mode in CF
Also, the domain didnt have any ssl before, and we just change site hosting server and changed DNS to point to CF

sandro · January 6, 2023, 6:12pm

Yeah, precisely, that’s the issue, you are using an insecure legacy mode, which means your whole site is still insecure.

You best pause Cloudflare and make sure it loads fine on HTTPS without Cloudflare, then it will also work on Cloudflare.

adsense-ar · January 6, 2023, 6:15pm

Well, I don’t have origin certificates, for that I’m using flexible. I also enabled flexible for a lot of clients, this is the first time I’m getting this issue.

I have disabled universal SSL, waited 5 mins and re enabled it, now dig TXT _acme-challenge.bleif.com.ar lists the correct records and keys, but still pendoing txt validation

Did something changed in CF in the past month? Is still possible to get flexible SSL enc? (without SSL on origin)

Thanks!

sandro · January 6, 2023, 6:16pm

You best take a look at that article

adsense-ar · January 6, 2023, 6:19pm

Thanks @sandro ! I already know that, but I can’t get the origin to get SSL protected, so my only choice for many clients is to get flexible CF enc. In this case, it’s stuck in validating TXT records, that, as far as I can tell, are already present.

adsense-ar · January 6, 2023, 6:20pm

sandro · January 6, 2023, 6:20pm

Why can’t you get a certificate? They are literally available everywhere.

The issue is that you keep all your clients’ sites insecure because you force them onto HTTP. Do they know about that? Configuring a certificate is a matter of seconds, so you should really fix that first.

adsense-ar · January 6, 2023, 6:25pm

Hard to explain!

Please focus in the current issue, ¿can you help me to get Pending Validation (TXT) working? If no, thanks a lot for your suggestions.

I really appreciate your time as a MVP, but currently I need this particular issue fixed, which, by the way, is the first time I face this in 10 years working with CF services.

sandro · January 6, 2023, 6:27pm

But that is the current issue. You want your site on HTTPS, right? With your settings it isn’t and that’s what you need to fix. That starts with the server certificate and once that works, we can check anything else. Hence it is important to first fix that.

adsense-ar · January 6, 2023, 6:28pm

Ok, soy you are telling me that there’s no way to get flexible SSL working anymore in CF? Any blog post or news about that?

sandro · January 6, 2023, 6:28pm

Please refer to the previous article I posted.

But it is really easy, you want the site to be secure, right? Then you need to fix the server first.

sandro · January 6, 2023, 6:30pm

On the other, if you do not need SSL, switch the encryption mode to Off and you should not run into validation issues, as SSL won’t be required any more.

adsense-ar · January 6, 2023, 6:39pm

Well, in this specific client the hosting CP allows me to manually install certificates, but here in argentina that’s very rare. Most of the hosting providers sells you the SLL cert and don’t allow you to manually install your own cert.

Already installed the cert

Disabled, waited and re enabled Universal SSL and also changed enc to full, the issue persists

Pending Validation (TXT)

sandro · January 6, 2023, 6:46pm

Yes, some hosts do that, but in that case it’s best to switch host as a host should always provide you with the ability to confgure your own certificate and most hosts do that.

As for the issue, can you verify if you may have to restart something, as it still seems to show an invalid certificate.

adsense-ar · January 6, 2023, 6:49pm

Well, this is basic shared hosting, so no access to almost anything, only a Control Panel and that’s all. After installing the cert, the hosting CP told me that the cert was successfully installed, and that’s all I can do from this end

sandro · January 6, 2023, 6:50pm

In that case I’d contact them to clarify this as it doesn’t seem to be working yet. Did you verify that the IP address itself is correct?

adsense-ar · January 6, 2023, 6:54pm

That’s what I’m trying to tell from the first post.

Now I’ve disabled CF DNS proxyes of all DNS entryes, and disabled universal SSL and now the site seems to work, but failing as Unknown Cert Issuer

adsense-ar · January 6, 2023, 6:55pm

Will wait a minute or two and re enable proxy, universal SSL and so on