DCV Delegation requires you to place a one-time record that allows Cloudflare to auto-renew all future certificate orders, so that there’s no manual intervention at the time of the renewal.
When to use
You should use Delegated DCV when all of the following conditions are true:
- Your zone is using a .
- Cloudflare is not already .
- Your zone is using an .
- Your zone is not using multiple CDN providers.
- The Certificate Authority is either Google or Let’s Encrypt
To set up Delegated DCV:
- Order an for your zone. You can choose any Certificate validation method.
- On SSL/TLS > Edge Certificates, go to DCV Delegation for Partial Zones.
- Copy the Cloudflare validation URL.
- At your authoritative DNS provider, create
CNAMErecord(s) considering the following:
- If your certificate only covers the apex domain and a wildcard, you only need to create a single
CNAMErecord for your apex domain. Any direct subdomains will be covered as well.
_acme-challenge.example.com CNAME example.com.<COPIED_VALIDATION_URL>.
- If your certificate also covers subdomains specified by their name, you will need to add multiple
CNAMErecords to your authoritative DNS provider, one for each specific subdomain.
For example, a certificate covering
sub.example.com would require the following records.
_acme-challenge.example.com CNAME .example.com.<COPIED_VALIDATION_URL>._acme-challenge.sub.example.com CNAME sub.example.com.<COPIED_VALIDATION_URL>.
Because DCV happens regularly, do not remove the
CNAME record(s) at your authoritative DNS provider. Otherwise, Cloudflare will not be able to perform DCV on your behalf and your certificate will not be issued.
If you use a
dig command to test, you should only be able see the placed tokens if the certificate is up for issuance.
This is because Cloudflare places the tokens when needed and then cleans them up.
$ dig TXT +noadditional +noquestion +nocomments +nocmd +nostats _acme-challenge.example.com. @188.8.131.52_acme-challenge.example.com. 3600 IN CNAME example.com.<COPIED_VALIDATION_URL>
Currently, at certificate renewal, Cloudflare attempts to automatically perform DCV via HTTP if your certificate matches certain criteria:
- Hostnames are proxied.
- Hostnames on the certificate resolve to the IPs assigned to the zone.
- The certificate does not contain wildcards.