Universal SSL shows "Deleted" and cannot apply for a new one when switching from NS to CName setup

Concerning domain: gao.bo

I used to activate the domain with Cloudflare in NS way and it issued me a universal SSL.
Then due to some technical reason I had to switch NS to CName and I deleted the domain and added it again in CName way and performed the activation again without a problem.
But suddenly when I checked the SSL/TLS certificate I noticed that the root domain (gao.bo itself) is showing “Deleted” status. I tried to disable universal SSL and enable again. Nothing changed though.
I searched around but failed to find a way to ask Cloudflare to issue a univeral SSL for the root domain again (all subdomains got their universal SSL issued without a problem).


A screenshot is attached as above. It is in Chinese but the issue is lingually neutral.

Please help!

It looks like that domain is not using Cloudflare DNS, so I wouldn’t expect Cloudflare to be able to issue a certificate.

Thanks for your time replyinng.
That’s exactly what CName indicates: we don’t have to use Cloudflare DNS, instead we use CNAME records via a Cloudflare partner. Cloudflare issues univeral SSLs for domains and subdomains activated in both NS and CName ways.

Right, so the account the CNAME points to needs to issue the cert. That’s Cloudfare’s SaaS service, as well as a Biz/Ent plan feature. You can’t do this with a regular account.


The highlighted part shows that the universal SSLs (for domains activated in CName manner) are managed and renewed by Cloudflare.

When you are in CNAME setup, Cloudflare will only issue SSL certificates for DNS records that are proxied, and your current nameserver must point the CNAME to Cloudflare to complete the SSL verification.

1 Like

Thanks for your time Eric.

As you mentioned, and I’ve also been a loyal Cloudflare user for quite a while. You are perfectly correct. On the other hand I have already completed all the steps: a) the domains are proxied, AND b) the domains have been resolved to 1.1.1.1 or CNAMEed to corresponding-domain.cdn.cloudflare.net (you can simply verify by pinging gao.bo f.gao.bo and t.gao.bo)

However it does not work at all. The problem is that Cloudflare did not even try to issue the certicate for the root domain, but all subdomains work like a charm, though they all own totally the same configuration over domain resolution.

https://dns-lookup.jvns.ca/#gao.bo|all-the-records

name TTL record type value
gao.bo. 600 A 1.1.1.1

Are you sure an A record to 1.1.1.1 is the correct setup?
1.1.1.1 is normally a DNS server, not a CDN frontend.

Thanks for your time Sunny.

I can confirm that resolving to 1.1.1.1 (or 1.0.0.1) is correct. I can change my current subdomains or set up a new subdomain to show you that it does work. Although, I seems not to be able to find an official document supporting this.

I searched throughout the community and found several posts with the same issue, and none of them receive meaningful solution. A trivial issue right? Not so I am afraid.

I decide to wait for 3 month until that deleted certificate to expire and see what happens.