Troubleshooting
Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal.
Blocked validation URLs or misconfigured DNS settings might interfere with the certificate authority’s ability to finish the validation process. In these situations, you may need to update your configuration at Cloudflare or at your authoritative DNS provider. Additionally, there can also be errors on the CA side.
If you have issues while HTTP DCV is in place, review the following settings:
-
Anything affecting
/.well-known/*
: Review WAF custom rules, IP Access Rules, and other configuration rules to make sure that your rules do not enable interactive challenge on the validation URL. -
Cloudflare Account Settings and Page Rules: Review your account settings, Configuration Rules, and Page Rules to ensure you have not enabled I’m Under Attack Mode on the validation URL.
Enabling Always Use HTTPS does not impact the validation process.
In a Partial (CNAME) setup where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the /.well-known/*
path.
When using Redirect Rules the /.well-known/*
path should be excluded from redirections.
The errors below refer to situations that have to be addressed at the authoritative DNS provider:
the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogus
Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.
Consider the following when troubleshooting:
- DNSSEC ↗ must be configured correctly. You can use DNSViz ↗ to understand and troubleshoot the deployment of DNSSEC.
- Your CAA records should allow Cloudflare’s partner certificate authorities (CAs) to issue certificates on your behalf.
- The HTTP verification process is done preferably over IPv6, so if any
AAAA
record exists and does not point to the same dual-stack location as theA
record, the validation will fail.
As mentioned in Certificate authorities, specific CAs may have their own limitations. If you use Let’s Encrypt and receive the error below, it means you hit the duplicate certificate limit ↗ imposed by Let’s Encrypt.
The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority.
A certificate is considered a duplicate of an earlier certificate if it contains the exact same set of hostnames.
In this case, you can either wait for the rate limit window to end or choose a different certificate authority.
When the certificate authority finds an issue during the CA check portion of the DCV flow, you may see a Internal error with Certificate Authority
message. In this case, either wait or try a different certificate authority.
When the error states that the certificate authority will not issue for this domain
, you can try a different certificate authority or contact the CA directly.