Troubleshooting
By default, you may issue up to 15 certificates per minute. Only successful submissions (POSTs that return 200) are counted towards your limit. If you exceed your limit, you will be prevented from issuing new certificates for 30 seconds.
If you require a higher rate limit, contact your Customer Success Manager.
To remove specific files from Cloudflare’s cache, purge the cache while specifying one or more hosts.
Cloudflare returns a 1016 error when the custom hostname cannot be routed or proxied.
There are three main causes of error 1016:
- Custom Hostname ownership validation is not complete. To check validation status, run an API call to search for a certificate by hostname and check the verification error field:
"verification_errors": ["custom hostname does not CNAME to this zone."]. - Fallback Origin is not correctly set. Confirm that you have created a DNS record for the fallback origin and also set the fallback origin.
- A Wildcard Custom Hostname has been created, but the requested hostname is associated with a domain that exists in Cloudflare as a standalone zone. In this case, the hostname priority for the standalone zone will take precedence over the wildcard custom hostname. This behavior applies even if there is no DNS record for this standalone zone hostname.
In this scenario each hostname that needs to be served by the Cloudflare for SaaS parent zone needs to be added as an individual Custom Hostname.
To move a custom hostname back to an Active status, send a PATCH request to restart the hostname validation. A Custom Hostname in a Moved status is deleted after 7 days.
In some circumstances, custom hostnames can also enter a Moved state if your customer changes their DNS records pointing to your SaaS service. For more details, refer to Remove custom hostnames.
The caa_error in the status of a custom hostname means that the CAA records configured on the domain prevented the Certificate Authority to issue the certificate.
You can check which CAA records are configured on a domain using the dig command:
dig CAA example.com
You will need to ensure that the required CAA records for the selected Certificate Authority are configured. For example, here are the records required to issue Let’s Encrypt ↗ and Google Trust Services ↗ certificates:
example.com CAA 0 issue "letsencrypt.org"example.com CAA 0 issuewild "letsencrypt.org"
example.com CAA 0 issue "pki.goog; cansignhttpexchanges=yes"example.com CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"More details can be found on the CAA records FAQ.
As Let’s Encrypt - one of the certificate authorities (CAs) used by Cloudflare - has announced changes in its chain of trust, starting September 9, 2024, there may be issues with older devices trying to connect to your custom hostname certificate.
Refer to the full migration guide for details and consider the following solutions:
-
Use the Edit Custom Hostname endpoint to set the
certificate_authorityparameter to an empty string (""): this sets the custom hostname certificate to “default CA”, leaving the choice up to Cloudflare. Cloudflare will always attempt to issue the certificate from a more compatible CA, such as Google Trust Services, and will only fall back to using Let’s Encrypt if there is a CAA record in place that blocks Google from issuing a certificate.Example API call
Terminal window curl --request PATCH \\https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames/{custom_hostname_id} \\--header "X-Auth-Email: <EMAIL>" \\--header "X-Auth-Key: <API_KEY>" \\--header "Content-Type: application/json" \\--data '{"ssl": {"method": "txt","type": "dv","certificate_authority": ""}}' -
Use the Edit Custom Hostname endpoint to set the
certificate_authorityparameter togoogle: this sets Google Trust Services as the CA for your custom hostnames. -
If you are using a custom certificate for your custom hostname, refer to the custom certificates troubleshooting.
The zone hold feature is a toggle that will prevent their zone from being activated on other Cloudflare account.
When the option Also prevent subdomains is enabled, this prevents the verification of custom hostnames for this domain. The custom hostname will remain in the Blocked status, with the following error message: The hostname is associated with a held zone. Please contact the owner of this domain to have the hold removed. In this case, the owner of the zone needs to release the hold before the custom hostname can become activated.