Universal SSL Certificates not issuing

Hello -

We just set up a client’s DNS in Cloudflare just about 24 hours ago and Universal SSL certs have not been issued. It seems that this is happening more frequently now on new accounts where there is a problem every time and it is slowing down the process of getting accounts up and running on CF. Right now, we have all DNS provisioned to not pass through CF but using “DNS Only”.

I have tried disabling SSL and re-enabling it 10 minutes later, and same with disabling Universal SSL and re-enabling it and nothing seems to trigger the issuance of these certs. What is happening?


Thank you for asking.

May I ask you to post and share your domain name in bracketed dot [.] notation here and URL example to the particular resource with us so we could double-check, troubleshoot and provide some feedback information? :thinking:

If you recently changed your domain nameservers, have you checked if the DNSSEC was disabled and any DS records removed at your domain registrar before domain nameservers were changed? :thinking:

May I ask if some of the DNS records are unproxied :grey: (DNS-only) maybe? :thinking:

Hello -

The domain is healthworksacademies[.]com

Here is a screenshot of their current DNS configuration: https://i.imgur.com/DNpYZCH.png

GoDaddy is their domain registrar and their had pointed the nameservers to Bluehost (where their website is) and had Bluehost managing the DNS, not GoDaddy.

However, when we setup CF, I changed the nameservers in GoDaddy to point to CF instead of Bluehost since CF will be handling all of the DNS moving forward.

Let me know if you need any further information. I also just checked again, still no Universal SSL certs.

@jason8 could you try enabling Universal SSL in the dashboard? It looks like you disabled it before the domain was actually active - so no certificate order will be issued until your domain is detected as active on our nameservers. Once you enable Universal SSL, I would expect everything to proceed as normal.

1 Like

Hello Simon -

Yeah, I just realized that it was disabled which I set it that way yesterday evening when trying different things to get it to trigger.

I just enabled it and it now says it is “Pending”, so it should be fine moving forward.

Not sure what the initial issue was. Thanks for your help.

So I think what happened here is the nameserver change you made to switch your domain NS to Cloudflare took longer than usual. We won’t order the SSL cert until we detect that change, so disabling Universal SSL before your domain goes active on Cloudflare will mean that the SSL order never gets created. You can pause your domain to allow traffic to flow directly to your origin while SSL is issuing, but don’t disable Universal SSL if your domain isn’t active yet.

1 Like

Simon -

I had waited for about an hour as GoDaddy DNS changes take a little longer than normal, once I got the message “Great News, your site is active on CF” I then went through everything to make sure it was configured correctly and that is where the Universal SSL was saying “No Certificates” - which if I don’t “pause” CF or turn off proxy, the website shows a Bad Cert error or Security Warning.

So I paused CF and then kept refreshing, Enabling and Disabling Universal SSL, trying to do something to trigger it and nothing was working, even though the domain was active. I just paused it and forgot to re-enable it before I went to bed.

This isn’t the first time I have had an issue with the Universal SSL, but assuming the process is different now because I have to make sure when we migrate DNS for a client, we’re having to “pause” each time and wait for Universal SSL to catch up.

This domain is fine now but will be a little wearier on the next project. Thanks again for your help.

I wanted to double check the audit logs here to make sure I am looking at the same dates & times you are - if you want to, DM me the details of the domain and I’ll check for you. From what I can see, Universal SSL was disabled before the nameserver change was detected, which would cause the exact problem you described.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.