Universal SSL Pending Verification

I have ordered a Universal SSL, and I have waited for a brief period of time, but I have a question regarding the validation.

My domain, udg.edu.me, has the following A record (within pre-CF zone file):

udg.edu.me. 3599 IN A 66.113.163.27

This is not an address I proxied to through CloudFlare. We are reluctant to give go-ahead to Admin to remove the A record from the zone because as soon as he does that, our customers will be slammed with “Invalid certificate error”. Won’t they?

I would really like to avoid those SSL errors. Am I missing something? Does the verification require me to remove preexisting A record from my old DNS?

Thanks!
Jovan

In addition to the A record above, my domain already has CloudFlare’s NS records:

Appreciate all the help.

Thanks,
Jovan

You are simply missing an A record for your naked domain on Cloudflare.

Also, the edu.me domain itself seems to have a broken configuration as one of its nameservers does not resolve and me and edu.me seem to disagree about the nameservers.

Thanks Sandro.

How is it that I am missing the A record on CloudFlare? Is this it?

Please notice that A record from above holds the new IP (that I want to hide). The IP 66.113.163.27 that I mentioned in question is old one, which is to be retired.

As for the edu.me, thank you for sharing that info with me. Those are beyond my jurisdiction, so even if I wanted, I could not change. :frowning:

You are right. Cloudflare does have your record

nslookup udg.edu.me jason.ns.cloudflare.com
Server:  jason.ns.cloudflare.com
Address:  173.245.59.179

Name:    udg.edu.me
Addresses:  2606:4700:20::681a:eb9
	  2606:4700:20::681a:fb9
	  2606:4700:20::ac43:457d
	  104.26.15.185
	  104.26.14.185
	  172.67.69.125

However it does not resolve publicly

nslookup udg.edu.me 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Name:    udg.edu.me

I’d attribute this to the DNS issues with edu.me. You best contact your registrar about that issue.

Yes, I agree completely. I have already sent an email to them with necessary changes.

This could well be the reason why SSL cert cannot be verified, right?

Thanks,
Jovan

It actually seems as if edu.me responded authoritatively for your domain itself, hence requests won’t reach Cloudflare in the first place. That’s really something your registrar needs to look into.

As for the certificate, as long as your domain is not properly set up Cloudflare will wait with the certificate too.

1 Like

Hey @sandro

One more question, regarding the verification process. In my “Edge certificates” tab, when I click on the Pending indicator, I see something like this:

Question: Why are there 2 TXT records with the same name? (unless I have misunderstood it)

Thanks!

Best regards,
Jovan

Do you have a partner setup? On a full setup such a verification should not be necessary, only your DNS setup needs to be correct.

1 Like

Nope, nothing like that. Thanks! :slight_smile:

On the other hand, I have a DSN conflict at hand which I need to resolve because the DNS checker shows from 4 - 9 correct resolution. But that is a subject for my domain registrar …

A full setup should usually not require such a configuration as the DNS already is with Cloudflare. It is not clear why it showed up in your case, maybe open a support ticket to clarify this. But the DNS setup needs fixing first anyhow. The registry shouldn’t announce your domain any more but only refer to the configured nameservers.

That is kinda core of a problem. The edu.me is a government registrar (Ministry of Education here in Montenegro) and they manage all EDU domains. It is my understanding that they are unable to forward domains to external servers.

In addition to that, life’s just got pretty interesting - because of a conflict with a zone in internal DNS (within the building of the University), I think that we will be forced to skip CloudFlare (or any DDOS protection for that matter) :frowning:

Thanks @sandro

Yes, in that case Cloudflare won’t really be an option, unless you look into CNAME setups where you do not need to change nameservers, but these are only available on the pricey plans.

I don’t remember the precise validation, but I think this may be due to a broken chain of trust:

❯ dig ns udg.edu.me +trace @1.1.1.1 | grep ns2                                                                                                                                        ─╯
edu.me.			86400	IN	NS	ns2.edu.me.
couldn't get address for 'ns2.edu.me': not found

.me is weird one, since GDPR they don’t let us get whois records either, so we can’t see the NS info from the WHOIS.

I’ll bookmark this issue here, and I’ll follow up tomorrow.

Errors:

edu.me zone: The following NS name(s) did not resolve to address(es): ns2.edu.me
edu.me zone: The server(s) were not responsive to queries over UDP. (89.188.39.223)
me/DNSKEY: No response was received from the server over UDP (tried 4 times). (199.253.59.1, UDP_-_EDNS0_512_D_K)

Warnings:

edu.me to udg.edu.me: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the edu.me zone): irma.ns.cloudflare.com, jason.ns.cloudflare.com
edu.me to udg.edu.me: The following NS name(s) were found in the delegation NS RRset (i.e., in the edu.me zone), but not in the authoritative NS RRset: mail.edu.me, ns.edu.me
me to edu.me: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the me zone): mail.edu.me, ns.ac.me
me to edu.me: The following NS name(s) were found in the delegation NS RRset (i.e., in the me zone), but not in the authoritative NS RRset: ns2.edu.me

Yeah something weird going on here, check out this link, and contact your registrar.