Universal SSL certificate stuck in "Pending validation (TXT)"

Website, Application, Performance Security
1

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?

Yes, and found several issues where DNSSEC was part of the problem. It currently is active for this domain in our registrar, but some of our other domains (for example, peterlindbergh-coruna.com; almost the same name, but “coruna” instead of “acoruna”) have the same configuration and are working without problems.

When you tested your domain, what were the results?

An SSL error is displayed when you try to connect:

[~] curl -I https://peterlindbergh-acoruna.com/                                                                       
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure

Describe the issue you are having:

The Edge Certificate for this domain has been stuck at the “Pending validation (TXT)” state for several days. Validation records (_acme-challenge.peterlindbergh-acoruna.com) seem to be created, but they don’t appear to work:

[~] dig TXT _acme-challenge.peterlindbergh-acoruna.com                                                                

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> TXT _acme-challenge.peterlindbergh-acoruna.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4485
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;_acme-challenge.peterlindbergh-acoruna.com. IN TXT

;; ANSWER SECTION:
_acme-challenge.peterlindbergh-acoruna.com. 300	IN TXT "pHbz229ieVrlblS-YH0aaCIXB2Q8oB3QdSGjFQsC7IU"
_acme-challenge.peterlindbergh-acoruna.com. 300	IN TXT "BXUqv-B2QLirHcqapxTIkut57uilGq9MkUUqCpeNkC4"
_acme-challenge.peterlindbergh-acoruna.com. 300	IN TXT "jJ7ra2EtV5KeRh9i_EJflrDUv7aUpIawpfbORGlKmXM"
_acme-challenge.peterlindbergh-acoruna.com. 300	IN TXT "eUOWUJjFaB3fwE4FiUE8axdwnoglZ6lHbp8fEZ77Taw"

;; AUTHORITY SECTION:
peterlindbergh-acoruna.com. 101900 IN	NS	melina.ns.cloudflare.com.
peterlindbergh-acoruna.com. 101900 IN	NS	kipp.ns.cloudflare.com.

;; ADDITIONAL SECTION:
melina.ns.cloudflare.com. 101900 IN	A	108.162.194.184
melina.ns.cloudflare.com. 101900 IN	A	162.159.38.184
melina.ns.cloudflare.com. 101900 IN	A	172.64.34.184
kipp.ns.cloudflare.com.	101900	IN	A	172.64.35.240
kipp.ns.cloudflare.com.	101900	IN	A	108.162.195.240
kipp.ns.cloudflare.com.	101900	IN	A	162.159.44.240
melina.ns.cloudflare.com. 101900 IN	AAAA	2a06:98c1:50::ac40:22b8
melina.ns.cloudflare.com. 101900 IN	AAAA	2606:4700:50::a29f:26b8
melina.ns.cloudflare.com. 101900 IN	AAAA	2803:f800:50::6ca2:c2b8
kipp.ns.cloudflare.com.	101900	IN	AAAA	2803:f800:50::6ca2:c3f0
kipp.ns.cloudflare.com.	101900	IN	AAAA	2a06:98c1:50::ac40:23f0
kipp.ns.cloudflare.com.	101900	IN	AAAA	2606:4700:58::a29f:2cf0

;; Query time: 47 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Feb 29 09:59:27 CET 2024
;; MSG SIZE  rcvd: 613

What steps have you taken to resolve the issue?

Removed the Universal Certificate, waited for a while and enabled it again, as per the FAQ at Troubleshooting Universal SSL · Cloudflare SSL/TLS docs.

Was the site working with SSL prior to adding it to Cloudflare?

We’re not sure, but we think it wasn’t. This is a secondary domain and, as we’re not the website administrators, we can’t access the server configuration. It’s probable that the website is not configured for this domain, only for the main one.

What are the steps to reproduce the error:

Use “curl” or any other tool to connect to the website.

Please attach a screenshot of the error:

The previous “curl” execution shows the issue.

Thanks in advance!

3

The DS records at your registar aren’t from Cloudflare…
https://cf.sjr.org.uk/tools/check?d67e0eaa257240bfbf98946ff2e9ae15#dns

Check that DNSSEC is enabled at Cloudflare and set the DS records from Cloudflare in your registrar…
https://dash.cloudflare.com/?to=/:account/:zone/dns/settings

If you have just updated them or disabled DNSSEC at the registrar then you’ll need to wait up to 24 hours for the change to take effect at the root zone.

Your other site isn’t using DNSSEC…
https://cf.sjr.org.uk/tools/check?97b62a06acc345b5b3602544d45c3e5d#dns

4

Thank you, I’ve seen that DNSSEC is the common culprit in these cases, but it puzzles me that we had this validation problem only with this domain (and another one that we’ve just found out).

I suppose disabling DNSSEC should do the trick, right?

5

Disabled at the registrar, yes.

DNSSEC protects your DNS from being diverted. Changing nameservers without updating the DS records will always, by design, stop the domain from resolving if users’s resolver is set to validate signatures.

Your other domains probably didn’t have DNSSEC enabled.

6

Thanks, we disabled DNSSEC and it’s working. We have found that part of our domains have DNSSEC enabled, and now the problem has become knowing why that happened. Thanks for your support!

7

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.