SSL certificate stuck on pending issuance (error)

Can anyone tell me what I need to do to get the edge to edge encryption going?

I’ve got a raspberry pi server that hosts my domain ( dnd-mapp.nl.eu.org ) which already has a Let’s Encrypt SSL certificate on that server for my domain and any possible subdomains ( *.dnd-mapp.nl.eu.org ). I was able to get a wild card certificate when I used an API token for cloudflare, which I have created.
I’m trying to get the universal SSL certificate for cloudflare, but that is, as the title states, not quite working.

I’ve disabled and enabled the certificate twice already. Before enabling the certificate again I waited until the old certificate was removed from the list (about 10-15 minutes ), and after enabling I’ve waited 24 hours before checking on the status.
All my records ( A record, and CNAME records ) are using the cloudflare proxy ( orange cloud ), the universal SSL certificate is enabled.
I do have to mention that I have a firewall rules on cloudflare that blocks any traffic from outside the Netherlands.

Anything else that I can do have this certificate not throw a conflict? Because currently my website is not reachable because of a ERR_SSL_VERSION_OR_CIPHER_MISMATCH

There is a CAA record issued for the parent public suffix, which is actually a bit weird.

Try add CAA records on your own domain for the following, and then enable Universal SSL certificates again.

@ IN CAA 0 issue "comodoca.com"
@ IN CAA 0 issue "digicert.com"
@ IN CAA 0 issue "letsencrypt.org"
@ IN CAA 0 issuewild "comodoca.com"
@ IN CAA 0 issuewild "digicert.com"
@ IN CAA 0 issuewild "letsencrypt.org"

Doing some reading Cloudflare knew about the issue with nl.eu.org three years ago. I suspect just adding an iodef CAA record will cause Cloudflares automatic CAA records to kick in, and essentially override the CAA record set in the parent.

so, I’ll need to add something like this to the DNS config?

Not exactly. Try creating two records like this, which enable Let’s Encrypt to issue the certs you are using:

Type: CAA
Name: @
Tag: Only allow specific hostnames, and another record for Only allow wildcards
CA domain name: letsencrypt.org

If you have any CAA record, Cloudflare will add the CAA records they need to issue a certificate.

ahh got it, I’ve read most parts of the post you provided in the mean time, and understood that 2 records would be needed to be added. I’ll try this and provide feedback in the following days.

Thank you for the suggestion and information!

nevermind… I just toggled the universal SSL certificate off and on with wait a couple of minutes in between and it jumped immediately to active status. :smiley:

Thanks for the help!

I think you are falling into an unusual situation.

The CAA specification originally said that a certificate authority should “tree-climb” looking for a CAA record.

nl.eu.org is a Public Suffix, and I’m not sure that I have ever seen a domain that can be used like this have a CAA record. The record says that only Lets Encrypt can issue certs for specific hostnames under nl.eu.org.

Let’s Encrypt specifically does not tree climb, so you had no problem using them to issue your cert. Cloudflares CA may have actually looked for and found the CAA record, but it did not mention their name, so they said “The CAA forbids us from issuing a certificate”.

But I’m making a guess here, and I’m interested in your results. I’ll need to have a read of the Baseline Requirements to see who is at fault here.

I don’t really know what’s going on tbh… just glad that its working finally. I’ll need to catch up on a whole lot of reading and understanding to get a gist of the situation.

I do think that your guess is in the right direction, since Cloudflare also doesn’t recognizes my registar ( nl.eu.org ) while Let’s encrypt does not have a problem providing certificates for my domain, that is under the registar.
image

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.