SSL/TLS Certificate Pending Validation (TXT)

Dear Community,

I’m facing issue with SSL Validation in Cloudflare for my domain. Can you guys insight me to get resolve the issue. Also, i have submitted the case with support team since my issue is there from 24 hrs. i have followed below troubleshooting steps but no luck on getting fix my validation issue.

My case number is- 2187511

How long has it been “authorizing” for?

  • 24 Hrs

What of the trouble shooting steps above have you tried?

  • Re-start the process by Disable and enable the Universal SSL
  • PATCH the validation method with the cloudflare SSL API
  • Followed Apex Validation steps

What is the plan level for the domain in question?

  • In PRO subscription with Free SSL

What error, if any, is displaying on your site at the moment?

  • Status is Pending validation at Cloudflare and SSL/CIPHER Mismatch at website

Are you signed up directly through Cloudflare or through a hosting provider/partner?

  • Directly Signed Up through Cloudflare

I’m not seeing mention of a TXT record in your nicely detailed description of the problem. Those validation methods look to be for higher level customers running SSL as a Service for their own customers.

But it sounds like you’ve already tried the standard procedure described below…correct?

I’m going to bump this into the escalation queue. Thank you for posting a ticket number.

Hi @hypexalerts it looks like you have DNSSEC set up at your registrar and it is invalid:

$ dig TXT _acme-challenge.example.com

; <<>> DiG 9.16.9 <<>> TXT _acme-challenge.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42739
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;_acme-challenge.example.com.	IN	TXT

Note the DNSSEC Bogus message there but you can also verify online via a tool such as:

https://dnssec-analyzer.verisignlabs.com/

DNSSEC being broken means that DNS resolvers that validate against DNSSEC cannot resolve your domain right now and that would include Certificate Authorities who are attempting to check for the verification records.

If you have DNSSEC enabled on your Cloudflare config, visit the DNS screen:

https://dash.cloudflare.com/?to=/:account/:zone/dns

And click the DS Record link under DNSSEC to get your DS records. You then need to visit your domain registrar and correct the DNSSEC config to match what is in Cloudflare.

Once your domain is resolveable again, SSL should issue shortly after.

3 Likes

@sdayman thanks for the response, yeah i tried the methods which mentioned in the post.

@simon Yes, in the analyzer it is saying that the DS record is incorrect. So as, the DNSSEC chain of trust is broken.
But, in that case Cloudflare should not show that DNSSEC setup was successful as if now i’m seeing it at my domain in the cloudflare side.

It may be a glitch at cloudflare end. Let me do one thing that change the nameserver to the one which domain registrar provided and then change the name servers & DS records again to Cloudflare to see if it resolves my issue.

@simon Found the issue, thanks for the insight. It is Key Tag value typo in the DS record at registrar end. Informed end customer to correct the value, hope it will resolve my pending validation txt record issue and provides me an active SSL certificate.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.