SSL Certificate is still pending after several days

Hi,

I just delegated a new Domain to cloudflare in its free account about two weeks ago.
The Domain is now available in the cloudflare admin interface and everything dns related seems to work.

Now, nearly a week ago, I tried to setup a ssl certificate with cloudflare (Let’s encrypt)

After 24 hours I wondered, why it is still pending and searched the community forum, maybe it just takes some more time.

But after nearly a week, there is clearly something going wrong, and I think a got a hint

The certificate ought to be for *.domain.com and www…domain.com - despite the fact that the wildcard domain already includes www.domain.com

Whet I make a lookup to _acme-challenge.domain.com I get FOUR TXT entries, which are all different:

;; ANSWER SECTION:
_acme-challenge.domain.com. 300	IN	TXT	"KVlxxasasVasasa7Tf9W1Tnjd7uorF2nyHIDGqmD3o4"
_acme-challenge.domain.com. 300	IN	TXT	"sStVBasasaUaaavv_avajvavavav9-XYfpmXUQSY4Eo"
_acme-challenge.domain.com. 300	IN	TXT	"ukdxsKnc3W_6OrBavavavavvavavvaavavWYeu0HNa8"
_acme-challenge.domain.com. 300	IN	TXT	"WBhWHCVMsavvvavavavavaavavvvavavavViL1jc4N0"

The first and the last entry are the “correct” ones which are also mentioned int he ssl cert part in the cloudflare webinterfae.
Both other entries, I don’t know where they came from? But I think that’s the culprit its still pending, since they seem to be invalid to me.

But they are NOT mentioned in the cloudflare DNS configuration in the webinterface, I am only able to dig them up externally from cloudflare - so the easy way - deleting the wrong entires - does NOT work.

I can’t stop the acme challenge also, it seems.

So, what can I do? Only wait for a timeout and then try again?

thanks a lot for your help.

nocnoc

What is the domain?

It is

m - ccp dot net

You have a DNSSEC issue, the DS records are not those given by Cloudflare…
https://cf.sjr.org.uk/tools/check?d4a1bc19652443cb95f62edb9359c234#dns

You need to either disable DNSSEC at your registrar, or enable it at Cloudflare and copy the DS records to your registrar from your dashboard here…
https://dash.cloudflare.com/?to=/:account/:zone/dns/settings

1 Like

FACEPALM.

thanks. you are probably absolutely rigth. Forgot about that…

Thanks a lot!

Cheers

NocNoc

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.