Universal Edge Certificates Pending Validation

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?

Please share your search results url:
CF community posts

When you tested your domain, what were the results?
I tested it just now. Universal cert for proton.ad.gt is in Pending Validation state.

Describe the issue you are having:
I have a partial CNAME setup: https://developers.cloudflare.com/dns/zone-setups/partial-setup/
I already have a few subdomains successfully configured with Universal certificate.
Two days ago, I tired setting up another one: proton.ad.gt. Unfortunately, the TLS has been in Pending Validation state since then. The request is for a DigiCert certificate.
Backend seems configured correctly, I am not using wildcard certs in the backend, just a regular AWS cert with a few simple common names.

To make matters worse, today, another ad.gt subdomain that was configured about a year ago started reporting that the Universal certificate is in pending validation status. The old cert was from DigiCert, the new request is from LE.

I have no DNSSEC enabled, ad.gt is configured in AWS.

What error message or number are you receiving?
Pending Validation

What steps have you taken to resolve the issue?

  1. Avoid using wildcard certs in the backend
  2. Ensure that I have backend responding on both HTTP and HTTPS
  3. Since the validation challenge is HTTP, I have added the well-known request to the backend, even though I should not need to do it
  4. I have checked that I am not using DNSSEC that could potentially block the certificate issuance.

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

  1. Visit the site or check the Edge Certificates panel

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

If you navigate to the SSL / Edge-Certificate menu in the Cloudflare dashboard, you will see a very prominent warning:

What exactly you need to do is outlined in the linked article, it depends on your kinds of records (wildcard or not), whether you use Advanced Certificates and some other configurations.

From the pages you suggested:

If your domain is on a Partial setup, Cloudflare will automatically complete HTTP-based DCV on your behalf.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.