SSL Edge Certificate keeps status Pending Validation (TXT)

The edge certificate for the domain spreek.nl keeps to show the status “Pending Validation (TXT)” . Already for more than 48 hours.

As a possible solution, I now added the TXT snippets to the DNS (_acme-challenge.spreek.nl), but without result.
I also did a DNSSEC test, but this also seems to work correct: https://dnsviz.net/d/spreek.nl/dnssec

I’m out of options now. What to do?

If you recently changed your domain nameservers, regular DNS propagation time usually takes up to 24-48 hours to complete.

The DNS records (hostname) should be proxied :orange: at the DNS tab of Cloudflare dashboard.

However, it seems to me like you’re not using Cloudflare nameservers, or you added the assigned ones for your Cloudflare account as NS type of the DNS records at your domain registarar interface :thinking:

WHOIS got me:

Domain nameservers:
ns1.argewebhosting.eu
ns2.argewebhosting.com
ns3.argewebhosting.nl

Nevertheless, I do see your domain has got DNSSEC enabled.

When I do check the DNSSEC, I see there are DS records added, and no DNSSEC issue. It seems to me like DNSSEC was enabled before you changed your domain nameservers to Cloudflare.

If you recently changed your domain nameservers, have you checked if the DNSSEC was disabled and any DS records removed at your domain registrar before domain nameservers were changed? :thinking:

Kindly, I’d suggest you to contact and ask your domain registrar to disable DNSSEC for your domain and remove any of the existing DS records at their interface.

Nevertheless, you might have to wait up to 48 or 72 hours for proper DNS propagation and to clear the DS/DNSSEC entries for your domain name.

Unfortunately, this is a know “issue”, or rather to say it happens. Before we change domain nameservers, we should make sure we disable the DNSSEC feature and remove any of the existing DS type of DNS records for our domain at our domainr registrar.

To get Universal SSL issued, you have to have:

  1. Using Cloudflare nameservers for your domain name at your domain registrar
  2. Proxied :orange: at least one DNS record (hostname) like example.com at the DNS tab of Cloudflare dashboard

Furthermore, may I ask if your domain is still in “Pending nameserver check” status at Cloudflare dashboard? :thinking: If yes, then that would be one more reason why it isn’t issued → nameservers not CF’s and DNSSEC enabled.

You should disable DNSSEC and remove any of the existing DS records at your domain registrar before changing domain nameservers and wait up to 48 hours to fully clear up. After that, you proceed with the process further. Otherwise, if you did not done this step, this is the cause of NXDOMAIN error.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.