Troubleshooting
By default, you may issue up to 15 certificates per minute. Only successful submissions (POSTs that return 200) are counted towards your limit. If you exceed your limit, you will be prevented from issuing new certificates for 30 seconds.
If you require a higher rate limit, contact your Customer Success Manager.
To remove specific files from Cloudflare’s cache, purge the cache while specifying one or more hosts.
Cloudflare returns a 1016 error when the custom hostname cannot be routed or proxied.
There are three main causes of error 1016:
- Custom Hostname ownership validation is not complete. To check validation status, run an API call to search for a certificate by hostname and check the verification error field:
"verification_errors": ["custom hostname does not CNAME to this zone."]
. - Fallback Origin is not correctly set. Confirm that you have created a DNS record for the fallback origin and also set the fallback origin.
- A Wildcard Custom Hostname has been created, but the requested hostname is associated with a domain that exists in Cloudflare as a standalone zone. In this case, the hostname priority for the standalone zone will take precedence over the wildcard custom hostname. This behavior applies even if there is no DNS record for this standalone zone hostname.
In this scenario each hostname that needs to be served by the Cloudflare for SaaS parent zone needs to be added as an individual Custom Hostname.
To move a custom hostname back to an Active status, send a PATCH request to restart the hostname validation. A Custom Hostname in a Moved status is deleted after 7 days.
In some circumstances, custom hostnames can also enter a Moved state if your customer changes their DNS records pointing to your SaaS service. For more details, refer to Remove custom hostnames.
The caa_error
in the status of a custom hostname means that the CAA records configured on the domain prevented the Certificate Authority to issue the certificate.
You can check which CAA records are configured on a domain using the dig
command:
dig CAA example.com
You will need to ensure that the required CAA records for the selected Certificate Authority are configured. For example, here are the records required to issue Let's Encrypt ↗ and Google Trust Services ↗ certificates:
More details can be found on the CAA records FAQ.
As Let's Encrypt - one of the certificate authorities (CAs) used by Cloudflare - has announced changes in its chain of trust, starting September 9, 2024, there may be issues with older devices trying to connect to your custom hostname certificate.
Consider the following solutions:
-
Use the Edit Custom Hostname endpoint to set the
certificate_authority
parameter to an empty string (""
): this sets the custom hostname certificate to "default CA", leaving the choice up to Cloudflare. Cloudflare will always attempt to issue the certificate from a more compatible CA, such as Google Trust Services, and will only fall back to using Let’s Encrypt if there is a CAA record in place that blocks Google from issuing a certificate.Example API call
-
Use the Edit Custom Hostname endpoint to set the
certificate_authority
parameter togoogle
: this sets Google Trust Services as the CA for your custom hostnames. -
If you are using a custom certificate for your custom hostname, refer to the custom certificates troubleshooting.
The zone hold feature is a toggle that will prevent their zone from being activated on other Cloudflare account.
When the option Also prevent subdomains
is enabled, this prevents the verification of custom hostnames for this domain. The custom hostname will remain in the Blocked
status, with the following error message: The hostname is associated with a held zone. Please contact the owner of this domain to have the hold removed.
In this case, the owner of the zone needs to release the hold before the custom hostname can become activated.
The Common Name (CN) restriction establishes a limit of 64 characters (RFC 5280 ↗). If you have a hostname that exceeds this length, you may find the following error:
To solve this, you can set cloudflare_branding
to true
when creating your custom hostnames via API.
Cloudflare branding means that sni.cloudflaressl.com
will be added as the certificate Common Name (CN) and the long hostname will be included as a part of the Subject Alternative Name (SAN).