Universall SSL (Edge Certificates) stopped working and now is stuck on pending verification

domain: grillmagazine.gr
I have installed Let’s encrypt on my server and under Cloudflare’s SSL/TLS settings, I was using the Full (strict) setting. I have also added a DNS record of NS _acme-challenge so I will not have to manually update the site’s acme-challenge on Cloudflare. Everything was working fine but around half a month ago, the site was not accessible via any browser, and I was getting an SSL-related error.

After I checked the server (everything was working well) I saw on Cloudflare that the Universal SSL was pending. I disabled and re-enabled Universal SSL, but after 5 days now it still says “Cloudflare will validate the certificate on your behalf. No action is required.”

It seems to be stuck for some reason I can not figure out why.

Does it mean you’re using LE’s SSL cert for your domain at your origin host/server? :thinking:

To me, seems like there might be an issue with Let’s Encrypt :thinking:
As far as your domain was using Cloudflare Universal SSL → Let’s Encrypt.

Maybe you could try to change it from LE to Digicert using below instructions? :thinking:

So far, DNSSEC wasn’t being used.
Cloudflare nameservers are correctly set.

Did you used or were using some kind of a CNAME setup maybe? Or some 3rd-party integrator or hosting partner of Cloudflare for your domain name? :thinking:

As far as I can see, currently, you’re either using “Pause Cloudflare for this Website” option, or some of the DNS records are unproxied :grey: (DNS-only)? :thinking:

Have you tried contacting Cloudflare Support about this issue so far? :thinking:

Kindly, I’d suggest you to write a ticket to Cloudflare support due to your account and/or domain issue and share the ticket number here with us so we could escalate this issue:

  • Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button. If you get automatic reply, reply and indicate to it you need more help and reference to this topic
  • Or send an an e-mail to support[at]cloudflare[dot]com from your e-mail associated with your Cloudflare account

Thank you for the response on this matter.

I will try to answer your questions below:

I was using LE’s SSL cert on the origin host and I am using the setting I described in my last reply so that the acme-challenge can be updated correctly every 90 days that the SSL needs to be updated.

I have tried to download a cURL for windows and run it through cmd, but I might be doing something wrong. Digicert must also be enabled on the origin server? Currently let’s encrypt is a cron Job handled from the server itself.

I don’t know what this is exactly. I can see that is not enabled on the SSL tab.

No special CNAME setups. Just the usual www. and nothing more.

I have paused Cloudflare for this domain and re-enabled it to test If this was creating a problem with issuing the SSL. After that, I just unproxied the DNS records because the site was not accessible. It was popping an SSL error and the site was offline.

I have created a support ticket from my Cloudflare account and the ticket ID is 2511098.

Ok, great.

No, I was referring to changing CA for the Universal SSL from Let’s Encrypt → Digicert.
Maybe that’s the issue for your domain name :thinking:

It can be found on the DNS tab, just a bit to scroll down and you’ll find “DNSSEC” section.

Have you tried enabling/disabling with proxied :orange: DNS records? :thinking:

Thank you. I’ve escalated your issue.

Kindly and patiently wait for a reply.

Seems like this issue was already resolved by one of my colleagues. Please let me know if you still need anything.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.