SSL Edge Universal Cert - Stuck Pending

What is the domain name?


Have you searched for an answer?

Yes, this is the same issue: #275052 and #413424

Please share your search results url:



When you tested your domain using the [Cloudflare Diagnostic Center](Cloudflare(dot)com /diagnostic-center/), what were the results:
HTTPs not enabled, because cert not yet validated.

Describe the issue you are having:

My domains Edge SSL disappeared, so HTTPs cannot be accessed. Error received: ERR_SSL_VERSION_OR_CIPHER_MISMATCH. Then I disabled and re-enabled and now get pending validation which last for 3 days. Tried one more time disabling and re-enabling and have now been waiting a few more hours, but still stuck pending.

This process still not progressed even after disabling/re-enabling universal SSL.


What error message or number are you receiving?


Pending Validation
Review Universal Certificate for *,
Cloudflare will validate the certificate on your behalf. No action is required.

What steps have you taken to resolve the issue?

  1. Disable Universal SSL, wait about 10 minutes
  2. Enable Universal SSL.
  3. Wait a few days… repeat.

Was the site working with SSL prior to adding it to Cloudflare?


What are the steps to reproduce the error:

  1. Enable Universal SSL
  2. See the Initializing process
  3. See the Pending Validation process.

Have you tried from another browser and/or incognito mode?

Yes, still same issue.

Please attach a screenshot of the error:

Welcome to the Cloudflare Community!

Thank you for sharing your domain name, it helps greatly with debugging.

; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for

Your DNSSEC Configuration is broken.

It looks like you had DNSSEC Set up at one point, but currently disabled at Cloudflare and not properly set up. Not all DNS Resolvers validate DNSSEC, some ISP-operated Resolvers don’t, but most public ones and Certificate Providers do, which will prevent them from resolving your site/issuing a certificate.

You’ll want to either outright disable DNSSEC, or enable DNSSEC with Cloudflare and update your DNSSEC configuration with the information Cloudflare gives you:

These changes to your DNSSEC Configuration can be done at your Registrar, Porkbun.

After you make these changes to fix your DNSSEC Configuration, the certificate issuance should retry after a bit and succeed. You can use the tool and click “Update Now” to confirm you fixed the issue, no “BOGUS” status/notices should appear. It will take a bit for changes you make at your registrar to apply though.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.