Universal Certificate - Pending Validation

We have a domain of microsoft-assistance.com and right now we cannot use SSL, because we have an error “Pending Validation (TXT)”.

The record exists in the DNS zone, but not shown at the dash cloudflare page:

# dig -t TXT microsoft-assistance.com

; <<>> DiG 9.16.1-Ubuntu <<>> -t TXT microsoft-assistance.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18617
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;microsoft-assistance.com.	IN	TXT

;; ANSWER SECTION:
microsoft-assistance.com. 300	IN	TXT	"ca3-123b5f6df077496eaa86ccda1230c9d6"

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Mar 10 23:34:27 CET 2021
;; MSG SIZE  rcvd: 102

I’d tried to add it manually, but dash panel shows that the record exists.

How can we fix the problem?

Are you trying to obtain an SSL certificate over your proxied domain via Cloudflare?
In other words, are the DNS records A or CNAME :orange: or :grey:?

Have you tried to do a step as follows here:

Kindly, check here and re-check the steps:

You should contact your internal team at Microsoft for the process for issuing SSL certificates.

1 Like

@fritexvz - right now it is proxied. I tried to disable the “cloud” and enable it again and this did not hepled (actually repeated the steps in this article)

@cscharff did I understand you correctly that “microsoft” is banned word in the domain name, so that is why it is non standard procedure at Cloudflare to obtain the Universal Certificate?

Many large brands have agreements and controls with the major certificate vendors for issuance of certificates using their brand names. I don’t work for Microsoft and Cloudflare isn’t a CA but I imagine it’s highly likely that without using their documented process or presenting a LOA directly to the CA for issuance it isn’t going to happen by automated means.

If the CA refuses to issue a certificate, it’s not possible for Cloudflare to deploy it, so the request will likely stay in pending and then time out as unfilled.

1 Like