Universal SSL shows "Deleted" and cannot apply for a new one when switching from NS to CName setup

cloud3 · October 10, 2021, 11:55am

Concerning domain: gao.bo

I used to activate the domain with Cloudflare in NS way and it issued me a universal SSL.
Then due to some technical reason I had to switch NS to CName and I deleted the domain and added it again in CName way and performed the activation again without a problem.
But suddenly when I checked the SSL/TLS certificate I noticed that the root domain (gao.bo itself) is showing “Deleted” status. I tried to disable universal SSL and enable again. Nothing changed though.
I searched around but failed to find a way to ask Cloudflare to issue a univeral SSL for the root domain again (all subdomains got their universal SSL issued without a problem).

A screenshot is attached as above. It is in Chinese but the issue is lingually neutral.

Please help!

sdayman · October 10, 2021, 2:04pm

It looks like that domain is not using Cloudflare DNS, so I wouldn’t expect Cloudflare to be able to issue a certificate.

cloud3 · October 10, 2021, 2:20pm

Thanks for your time replyinng.
That’s exactly what CName indicates: we don’t have to use Cloudflare DNS, instead we use CNAME records via a Cloudflare partner. Cloudflare issues univeral SSLs for domains and subdomains activated in both NS and CName ways.

sdayman · October 10, 2021, 2:23pm

Right, so the account the CNAME points to needs to issue the cert. That’s Cloudfare’s SaaS service, as well as a Biz/Ent plan feature. You can’t do this with a regular account.

cloud3 · October 10, 2021, 3:45pm

The highlighted part shows that the universal SSLs (for domains activated in CName manner) are managed and renewed by Cloudflare.

erictung · October 11, 2021, 2:49am

When you are in CNAME setup, Cloudflare will only issue SSL certificates for DNS records that are proxied, and your current nameserver must point the CNAME to Cloudflare to complete the SSL verification.

cloud3 · October 11, 2021, 3:07am

Thanks for your time Eric.

As you mentioned, and I’ve also been a loyal Cloudflare user for quite a while. You are perfectly correct. On the other hand I have already completed all the steps: a) the domains are proxied, AND b) the domains have been resolved to 1.1.1.1 or CNAMEed to corresponding-domain.cdn.cloudflare.net (you can simply verify by pinging gao.bo f.gao.bo and t.gao.bo)

However it does not work at all. The problem is that Cloudflare did not even try to issue the certicate for the root domain, but all subdomains work like a charm, though they all own totally the same configuration over domain resolution.

yoursunny · October 11, 2021, 3:33am

https://dns-lookup.jvns.ca/#gao.bo|all-the-records

name	TTL	record type	value
gao.bo.	600	A	1.1.1.1

Are you sure an A record to 1.1.1.1 is the correct setup?
1.1.1.1 is normally a DNS server, not a CDN frontend.

cloud3 · October 11, 2021, 9:48am

Thanks for your time Sunny.

I can confirm that resolving to 1.1.1.1 (or 1.0.0.1) is correct. I can change my current subdomains or set up a new subdomain to show you that it does work. Although, I seems not to be able to find an official document supporting this.

cloud3 · October 12, 2021, 10:01am

I searched throughout the community and found several posts with the same issue, and none of them receive meaningful solution. A trivial issue right? Not so I am afraid.

cloud3 · October 12, 2021, 3:35pm

I decide to wait for 3 month until that deleted certificate to expire and see what happens.