Universal SSL - TXT validation method

I will refer to our domain as site.tld in this post.

  • We are looking to get a seamless switchover for a SSL-enabled www.site.tld, which is currently live
  • We are using CNAME setup (partial zone)
  • We would like to use Universal SSL with no downtime
  • We have amended the validation method to from HTTP to TXT using the API

We have already pointed the www.site.tld to www.site.tld.cdn.cloudflare.net, DNS-only though due to the missing SSL certificate.

We have received a txt_name (equals to www.site.tld) and txt_value (example here ca3-xxxxxxxxx.

Where do we put the TXT records though? Are they supposed to go to the site.tld root in the common format of www.site.tld=txt_value? Or are they supposed to be set on the txt_name, meaning they would be discoverable at www.site.tld.site.tld?

For example, is this correct?

$ dig -t TXT site.tld
site.tld.	300	IN	TXT	"www.site.tld=ca3-xxxxxxxxx"

Or is this correct?

$ dig -t TXT www.site.tld.site.tld
www.site.tld.site.tld. 300 IN TXT "ca3-xxxxxxxxx"

There already is a CNAME record present on the www.site.tld thus we can not add another TXT record there.

1 Like

This is an interesting issue, I see what you are trying to do with removing the downtime by switching to TXT validation here:
https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/

I’m pretty sure the record should just be www.site.tld but I do then see your issue with the CNAME. I’m trying to test this and work it out.

Can you tell me the domain name? I don’t think site.tld is the correct domain.

Is there a way to send a DM with the domain name?

In the end, we have worked around the issue by going for an advanced certificate with a wildcard for the immediate post-launch, then we have switched back to the HTTP method to get the universal SSL once there was a functioning certificate in place.

There should be a way to send message when you click on the user name

That only appears for Staff and MVPs @AnjanaM - if you start the PM then @petr_io will be able to reply, they will not be able to start one with you though.

1 Like

Got it thanks. I did send him a message. Hopefully he can reply in that. Thanks for guiding me

1 Like

the correct would have been
dig -t TXT www.site.tld
www.site.tld. 300 IN TXT “ca3-xxxxxxxxx”

Hope this helps.

That’s what I thought, so this would have to be done before the CNAME was pointed to Cloudflare and you can’t use the TXT method once the CNAME is already done.

Ok, so in our situation (when the live site is also using a CNAME, even before switching over to the CF CNAME), it would not be possible to use the TXT validation? (due to the impossible CNAME and TXT co-existence)

If so, would it be worth documenting this limitation?

This does seem to me like something that should be documented. Perhaps @cwaters can pass this along to whoever handles the SSL docs.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Thanks for the suggestion. We’ve got the docs updated for partial zone setups and the TXT validation method.

I believe that’s the correct wording, but let me know if it needs further updates!

1 Like