Universal SSL ticket pending validation (txt) for over 48hrs

alecaudet · October 28, 2023, 7:17am

Answer these questions to help the Community help you with Security questions.

What is the domain name?
aud.et

Have you searched for an answer?
Yes, I have found to try toggling “universal SSL” to off for 5 minutes then back on and waiting 24 hours.

When you tested your domain, what were the results?
SSL error due to no certificate

Describe the issue you are having:
Universal SSL edge certificate is marked as “pending (txt)” for over 48 hrs even after toggling Universal SSL. Domain DNS is managed by cloudflare and the pending notice says that no action is required on my end - however, the documentation says 24hours is the max wait time and it has been double that.

DarkDeviL · October 28, 2023, 7:45am

As we’re dealing with a TLD that doesn’t support DNSSEC, that shouldn’t be able to be the problem.

What certificate authority?

It says “should”.

I believe you should interpret that part as “what is probable”, e.g. typically / under normal conditions, and assuming nothing else prevents the certificate issuance.

That being said, - do you mind taking a look at your DNS records?

→ https://dash.cloudflare.com/?to=/:account/:zone/dns/records

Do you have any DNS record(s) listed, where the Name field contains “_acme-challenge”?

alecaudet · October 28, 2023, 7:05pm

Hi thanks for replying,
Here is my DNS. I have manually added the TXT verification records after waiting 24 hours. As the notification for pending verification says I dont need to do anything, but I tried regardless.
Its also worth noting that the ACME challenge codes appear to rotate once a day, and I have updated them twice now.

alecaudet · October 28, 2023, 7:06pm

Here is CA info

DarkDeviL · October 31, 2023, 4:59am

Can you try deleting them?

I would strongly advice going against such advice, as it would more often be causing conflicts rather than doing anything good.

I currently see 6 _acme-challenge records in the DNS for your domain, including the two from your screenshot.

Can you try the following:

Disable Universal SSL
→ https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates
Wait 2 hours
Check the DNS, could be with a tool like digwebinterface.com, dnschecker.org or similar site, for the TXT record of _acme-challenge.aud.et, and see if there are still remaining _acme-challenge TXT record(s) left then?
→ Dig web interface - TXT record for _acme-challenge.aud.et
→ dnschecker.org - TXT record for _acme-challenge.aud.et
Respond back with what you see regarding #3.

Also, do you see any certificates with the status Active (e.g. a Backup), under Edge Certificates?

system · November 27, 2023, 10:01pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.